Hugging Face Repository Executes Malware on Windows Machines
Key Takeaways A popular AI repository on Hugging Face, “Open-OSS/privacy-filter,” distributed sophisticated malware targeting Windows systems. The malicious package mimicked a legitimate...
Key Takeaways
- A popular AI repository on Hugging Face, “Open-OSS/privacy-filter,” distributed sophisticated malware targeting Windows systems.
- The malicious package mimicked a legitimate OpenAI privacy filter, accumulating over 200,000 downloads before its removal.
- The multi-stage attack deployed a Rust-based infostealer designed to evade detection and exfiltrate sensitive data, including browser credentials, SSH keys, and cryptocurrency wallet files.
- The campaign appears to be part of a broader supply chain attack, with the same threat actor linked to six other malicious repositories.
A widely popular artificial intelligence repository hosted on Hugging Face, which garnered over 200,000 downloads, has been identified as a vector for severe malware distribution. This malicious software specifically targets Windows users, a critical finding detailed in a recent analysis by researchers at Hidden Layer.
Table Of Content
The repository, named “Open-OSS/privacy-filter,” achieved significant traction, recording more than 200,000 downloads before the Hugging Face platform team intervened to remove it. The threat actors behind this operation employed a deceptive tactic, cloning the model card almost identically from OpenAI’s legitimate Privacy Filter project. This imitation granted the malicious package a veneer of authenticity, leading thousands of developers and researchers to download and utilize it without suspicion, believing they were engaging with a reputable AI utility.
Hidden Layer’s investigation uncovered the sophisticated malicious code embedded within the repository. Their detailed analysis revealed a multi-stage attack chain, meticulously crafted to stealthily exfiltrate sensitive information from Windows machines while maintaining a low profile throughout its operation.
The malware executed silently in the background, employing a loader file designed to appear and behave like a genuine AI model tool. Once activated on a Windows system, the full extent of the compromise began without any overt indicators to the user.
The rapid proliferation of this campaign was not accidental. Prior to its removal, the repository had climbed to the top trending position on Hugging Face, achieving approximately 244 downloads and 77 likes within a single hour. These metrics strongly suggest artificial inflation, a common tactic used by attackers to boost visibility and ensnare more victims.
Understanding the Malware’s Execution Chain
The attack unfolded through a carefully orchestrated six-stage process. Initially, the model card instructed users to clone the repository and execute either a start.bat file for Windows or a Python loader.py script for Linux/macOS environments.
Initial Infection and PowerShell Execution
Upon execution on a Windows system, the loader.py script would first run a decoy code segment, mimicking a legitimate loader. Subsequently, it invoked a function named verify_checksum_integrity. This function bypassed SSL verification, decoded a base64-encoded URL pointing to jsonkeeper[.]com, retrieved a JSON document, and extracted a command from the cmd field. This command was then passed directly to PowerShell, executing silently with its execution policy bypassed, enabling covert operations.
Persistence and Evasion
The second stage involved PowerShell downloading a batch file, update.bat, from a domain, api.eth-fastscan[.]org, which masqueraded as a blockchain analytics service. This batch file performed six critical actions, including checks for administrative privileges, downloading further payloads, and adding exclusions for the malware’s directories within Microsoft Defender. To ensure persistence, a scheduled task named MicrosoftEdgeUpdateTaskCore was created. Notably, this task was designed as a “one-shot” launcher, deleting itself after execution to obscure its presence.
The Infostealer Payload and Credential Theft
The ultimate payload was a robust 10 MB Rust-based infostealer. This sophisticated malware was engineered to leverage Windows API calls to thwart static analysis and included mechanisms to detect debuggers, sandboxes, and virtual machines, such as VirtualBox, VMware, Hyper-V, and Parallels. If any of these environments were detected, the infostealer would cease operation to avoid analysis.
Once deployed on a genuine system, the infostealer initiated eight concurrent collection modules. These modules systematically targeted sensitive data, including cookies, login credentials, saved passwords, and session tokens from Chrome and Firefox browsers, SSH keys, VPN configurations, FTP credentials, and cryptocurrency wallet files. Additionally, screenshots were captured, compressed, and exfiltrated to a command-and-control (C2) server located at recargapopular[.]com using a POST request with a Bearer token authorization header.
Telemetry from Hidden Layer also linked the same attacker account to six other repositories uploaded on April 24, 2025. All these repositories exhibited nearly identical loader functionality and shared infrastructure with the “Open-OSS/privacy-filter” campaign, strongly indicating a coordinated supply chain attack targeting open-source AI ecosystems.
What You Should Do
- Isolate Affected Systems: Immediately disconnect any system that downloaded or cloned “Open-OSS/privacy-filter” or related repositories from the network.
- Credential Rotation: Rotate all credentials stored on affected machines, including browser-saved passwords, password manager entries, and any cloud provider tokens or SSH keys.
- System Reimaging: It is strongly recommended to reimage any compromised host before returning it to production use.
- Review Indicators of Compromise (IoCs): Block the following domains and file hashes at your network perimeter and within endpoint detection systems:
- Domains:
api.eth-fastscan[.]org,recargapopular[.]com,jsonkeeper[.]com,welovechinatown[.]info - URL:
https[://]api.eth-fastscan[.]org/update.bat - File Hashes (SHA256):
3e7cb11}cx||(loader.py),5e8ca2a7f4(loader.py v2),[start.bat hash],[update.bat hash],[Infostealer C1 hash] - Hugging Face Repositories:
anthubBonsai/BonsaiLLM,anthubWen/5BA/BAREPEWen/5}BA,anthubWen/ClaudeOpusReasoningDistilled - Scheduled Task:
MicrosoftEdgeUpdateTaskCore - File Paths:
%TEMP%update.bat,%TEMP%runners1/runner.ps1
Note: IP addresses and domains are intentionally defanged (e.g.,
[.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. - Domains:
- Enhance Supply Chain Security: Implement stricter vetting processes for third-party open-source components and repositories. Utilize automated security scanning tools to detect malicious code in downloaded packages.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.