A malicious repository on the Hugging Face platform, disguised as an official OpenAI release, delivered credential-stealing malware to Windows systems and recorded approximately 244,000 downloads before it was removed. Security firm HiddenLayer identified the threat in a report published this week.
The repository, named Open-OSS/privacy-filter, was designed to imitate OpenAI’s legitimate Privacy Filter release. HiddenLayer stated that the original model card had been copied almost exactly, but the attackers added a malicious loader.py file that fetched and executed credential-stealing malware on Windows hosts.
The number of downloads may have been artificially inflated by the attackers to increase the repository’s apparent popularity. As a result, the true extent of the infection remains unclear. The repository quickly reached the top of Hugging Face’s trending list, accumulating 667 likes in less than 18 hours, a figure that may also have been manipulated.
Risks in the AI Model Supply Chain
Public AI model registries are increasingly seen as potential risks in the software supply chain. Developers and data scientists often clone models directly into corporate environments, which may have access to source code, cloud credentials, and internal systems. A compromised model repository can therefore pose a significant threat beyond a simple nuisance.
The README file of the fake model closely resembled the legitimate project, but it differed by instructing users to run start.bat on Windows or execute python loader.py on Linux and macOS. These instructions were central to the infection chain that HiddenLayer described.
Researchers have previously warned that malicious code can be hidden inside AI model files or related setup scripts on Hugging Face and other public registries. Earlier cases involved Pickle-serialized model files that bypassed platform scanners.
Infection Chain Details
HiddenLayer reported that loader.py began with decoy code that resembled a normal AI model loader, then quickly transitioned to a concealed infection chain. The script disabled SSL verification, decoded a base64-encoded URL linked to jsonkeeper.com, retrieved a remote payload instruction, and passed commands to PowerShell on Windows machines.
The use of jsonkeeper.com as a command-and-control channel allowed the attacker to rotate the payload without changing the repository’s contents. The PowerShell command then downloaded an additional batch file from an attacker-controlled domain. The malware established persistence by creating a scheduled task designed to resemble a legitimate Microsoft Edge update process.
The final payload was a Rust-based infostealer. According to HiddenLayer, it targeted Chromium and Firefox-derived browsers, Discord local storage, cryptocurrency wallets, FileZilla configurations, and host system information. The malware also attempted to disable Windows Antimalware Scan Interface and Event Tracing.
Wider Campaigns and Industry Context
HiddenLayer also identified six additional Hugging Face repositories that contained virtually identical loader logic and shared infrastructure with the cited attack. This case follows other warnings about malicious AI models on Hugging Face, including poisoned AI SDKs and fake OpenClaw installers.
The common thread is that attackers are treating AI development workflows as a route into normally secure environments. AI repositories often contain executable code, setup instructions, dependency files, notebooks, and scripts. These peripheral elements cause problems, rather than the models themselves.
Sakshi Grover, senior research manager for cybersecurity services at IDC, noted that traditional software composition analysis was designed to inspect dependency manifests, libraries, and container images. It is less effective at identifying malicious loader logic in AI repositories. IDC’s November 2025 FutureScape report predicted that by 2027, 60% of agentic AI systems should have a bill of materials. This would help companies track which AI artifacts they use, their source, which versions were approved, and whether they contain executable components.
Response and Mitigation Recommendations
HiddenLayer advised anyone who cloned Open-OSS/privacy-filter and ran start.bat, python loader.py, or any file from the repository on a Windows host to treat the system as compromised. The firm recommends re-imaging affected systems. Browser sessions should be considered compromised even if passwords are not held locally, as session cookies can allow attackers to bypass multi-factor authentication in some circumstances.
Hugging Face has confirmed that the repository has been removed. Looking ahead, platform operators and enterprises may need to adopt more rigorous scanning for executable code within AI repositories, and consider implementing bills of materials for all AI artifacts used in development and production environments. The security community expects further disclosures as investigations into linked repositories continue.
