A malicious Hugging Face repository called Open-OSS/privacy-filter impersonated OpenAI’s Privacy Filter open-weight model and delivered a Rust-based information stealer to Windows users, with access to the model disabled by Hugging Face since discovery. The threat claimed to mimic the legitimate OpenAI release (openai/privacy-filter) by copying its description nearly verbatim to trick users into downloading it.
HiddenLayer’s analysis notes that the loader[.]py and a loader-based workflow were used to fetch and execute infostealer malware on Windows, with the project instructing users to clone the repo and run a batch script (start[.]bat) for Windows or a Python script (loader[.]py) for other systems.
Shortly before disablement, the malicious model reportedly reached the #1 trending position on Hugging Face with approximately 244,000 downloads and 667 likes within 18 hours, though these figures are suspected to be inflated. The malware chain then uses a PowerShell dropper to fetch second-stage payloads, escalate privileges, and exfiltrate data to a JSON Keeper dead drop before terminating itself. HiddenLayer also observed related activity linking to other repositories and a C2 setup noted to be associated with the attacker infrastructure.