Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
ClickLock macOS Stealer Kills Apps, Forces Password Entry
July 17, 2026
Top 10 Identity Threat Detection and Response (ITDR) Solutions for 2026
July 17, 2026
GPT-5.6 Codex Bug Deletes Files From Home Directories
July 17, 2026
Home/Threats/Hugging Face Repository Executes Malware on Windows Machines
Threats

Hugging Face Repository Executes Malware on Windows Machines

Key Takeaways A popular AI repository on Hugging Face, “Open-OSS/privacy-filter,” distributed sophisticated malware targeting Windows systems. The malicious package mimicked a legitimate...

Sarah simpson
Sarah simpson
May 11, 2026 4 Min Read
43 0

Key Takeaways

  • A popular AI repository on Hugging Face, “Open-OSS/privacy-filter,” distributed sophisticated malware targeting Windows systems.
  • The malicious package mimicked a legitimate OpenAI privacy filter, accumulating over 200,000 downloads before its removal.
  • The multi-stage attack deployed a Rust-based infostealer designed to evade detection and exfiltrate sensitive data, including browser credentials, SSH keys, and cryptocurrency wallet files.
  • The campaign appears to be part of a broader supply chain attack, with the same threat actor linked to six other malicious repositories.

A widely popular artificial intelligence repository hosted on Hugging Face, which garnered over 200,000 downloads, has been identified as a vector for severe malware distribution. This malicious software specifically targets Windows users, a critical finding detailed in a recent analysis by researchers at Hidden Layer.

Table Of Content

  • Key Takeaways
  • Understanding the Malware’s Execution Chain
  • Initial Infection and PowerShell Execution
  • Persistence and Evasion
  • The Infostealer Payload and Credential Theft
  • What You Should Do

The repository, named “Open-OSS/privacy-filter,” achieved significant traction, recording more than 200,000 downloads before the Hugging Face platform team intervened to remove it. The threat actors behind this operation employed a deceptive tactic, cloning the model card almost identically from OpenAI’s legitimate Privacy Filter project. This imitation granted the malicious package a veneer of authenticity, leading thousands of developers and researchers to download and utilize it without suspicion, believing they were engaging with a reputable AI utility.

Hidden Layer’s investigation uncovered the sophisticated malicious code embedded within the repository. Their detailed analysis revealed a multi-stage attack chain, meticulously crafted to stealthily exfiltrate sensitive information from Windows machines while maintaining a low profile throughout its operation.

The malware executed silently in the background, employing a loader file designed to appear and behave like a genuine AI model tool. Once activated on a Windows system, the full extent of the compromise began without any overt indicators to the user.

The rapid proliferation of this campaign was not accidental. Prior to its removal, the repository had climbed to the top trending position on Hugging Face, achieving approximately 244 downloads and 77 likes within a single hour. These metrics strongly suggest artificial inflation, a common tactic used by attackers to boost visibility and ensnare more victims.

Understanding the Malware’s Execution Chain

The attack unfolded through a carefully orchestrated six-stage process. Initially, the model card instructed users to clone the repository and execute either a start.bat file for Windows or a Python loader.py script for Linux/macOS environments.

Initial Infection and PowerShell Execution

Upon execution on a Windows system, the loader.py script would first run a decoy code segment, mimicking a legitimate loader. Subsequently, it invoked a function named verify_checksum_integrity. This function bypassed SSL verification, decoded a base64-encoded URL pointing to jsonkeeper[.]com, retrieved a JSON document, and extracted a command from the cmd field. This command was then passed directly to PowerShell, executing silently with its execution policy bypassed, enabling covert operations.

Persistence and Evasion

The second stage involved PowerShell downloading a batch file, update.bat, from a domain, api.eth-fastscan[.]org, which masqueraded as a blockchain analytics service. This batch file performed six critical actions, including checks for administrative privileges, downloading further payloads, and adding exclusions for the malware’s directories within Microsoft Defender. To ensure persistence, a scheduled task named MicrosoftEdgeUpdateTaskCore was created. Notably, this task was designed as a “one-shot” launcher, deleting itself after execution to obscure its presence.

The Infostealer Payload and Credential Theft

The ultimate payload was a robust 10 MB Rust-based infostealer. This sophisticated malware was engineered to leverage Windows API calls to thwart static analysis and included mechanisms to detect debuggers, sandboxes, and virtual machines, such as VirtualBox, VMware, Hyper-V, and Parallels. If any of these environments were detected, the infostealer would cease operation to avoid analysis.

Once deployed on a genuine system, the infostealer initiated eight concurrent collection modules. These modules systematically targeted sensitive data, including cookies, login credentials, saved passwords, and session tokens from Chrome and Firefox browsers, SSH keys, VPN configurations, FTP credentials, and cryptocurrency wallet files. Additionally, screenshots were captured, compressed, and exfiltrated to a command-and-control (C2) server located at recargapopular[.]com using a POST request with a Bearer token authorization header.

Telemetry from Hidden Layer also linked the same attacker account to six other repositories uploaded on April 24, 2025. All these repositories exhibited nearly identical loader functionality and shared infrastructure with the “Open-OSS/privacy-filter” campaign, strongly indicating a coordinated supply chain attack targeting open-source AI ecosystems.

What You Should Do

  • Isolate Affected Systems: Immediately disconnect any system that downloaded or cloned “Open-OSS/privacy-filter” or related repositories from the network.
  • Credential Rotation: Rotate all credentials stored on affected machines, including browser-saved passwords, password manager entries, and any cloud provider tokens or SSH keys.
  • System Reimaging: It is strongly recommended to reimage any compromised host before returning it to production use.
  • Review Indicators of Compromise (IoCs): Block the following domains and file hashes at your network perimeter and within endpoint detection systems:
    • Domains: api.eth-fastscan[.]org, recargapopular[.]com, jsonkeeper[.]com, welovechinatown[.]info
    • URL: https[://]api.eth-fastscan[.]org/update.bat
    • File Hashes (SHA256): 3e7cb11}cx|| (loader.py), 5e8ca2a7f4 (loader.py v2), [start.bat hash], [update.bat hash], [Infostealer C1 hash]
    • Hugging Face Repositories: anthubBonsai/BonsaiLLM, anthubWen/5BA/BAREPEWen/5}BA, anthubWen/ClaudeOpusReasoningDistilled
    • Scheduled Task: MicrosoftEdgeUpdateTaskCore
    • File Paths: %TEMP%update.bat, %TEMP%runners1 / runner.ps1

    Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

  • Enhance Supply Chain Security: Implement stricter vetting processes for third-party open-source components and repositories. Utilize automated security scanning tools to detect malicious code in downloaded packages.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

GhostLock Attack Exploits Windows SMB to Lock Files

Next Post

ShinyHunters Breaches Instructure Canvas LMS via Free Teacher Accounts

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Linus Torvalds Clarifies Linux Kernel’s Stance on AI Development
July 17, 2026
7-Zip Critical Vulnerability Exposes Millions to Remote Code Execution
July 17, 2026
Two Hackers Jailed for Hacking 148 TfL Systems, Forcing 27,000 Staff Password Resets
July 17, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us