Headline: Fake “OpenAI” Model Topped Hugging Face—Then Secretly Stole Passwords, Wallets and More
OpenAI’s tiny Privacy Filter model—released in late April to automatically redact PII and published under an Apache 2.0 license—drew quick community interest on Hugging Face. Within days, attackers exploited that attention by publishing a near-identical copy under a fake account, “Open-OSS.” The imposter repo cloned OpenAI’s model card verbatim and only differed by instructing users to run included loader files (start.bat for Windows, loader.py for Linux/macOS). In less than 18 hours the fake listing hit #1 on Hugging Face’s trending page, recording roughly 244,000 downloads and 667 likes.
AI-security firm HiddenLayer, which uncovered the campaign, flagged strong signs of manipulation: 657 of the 667 likes came from accounts that follow predictable auto-generated naming patterns, and the download totals are likely inflated by the same bot-driven tactics. The goal was manufactured social proof—make the repo look popular and legitimate so developers would run its files.
What happened after someone ran those files
- The visible “loader” mimicked model training (fake progress bars and dummy text) to reassure users it was legitimate.
- Behind the scenes it disabled security protections, fetched an encoded command from a public JSON paste site, and executed that payload via a hidden shell process.
- That command pulled a second script from a domain designed to resemble a blockchain-analytics API, which in turn delivered the real payload: a custom infostealer written in Rust.
- The malware added itself to Windows Defender exclusions, launched with SYSTEM-level privileges through a scheduled task that immediately deleted itself, and left little trace.
What the malware stole
The final payload was comprehensive. It extracted saved passwords, session cookies, browser history, browser encryption keys, and grabbed data from Chrome and Firefox. It also targeted Discord sessions, cryptocurrency wallet seed phrases, SSH and FTP keys, and took screenshots across monitors. All of the harvested data was compressed into a JSON bundle and exfiltrated to attacker-controlled servers. The malware was also sandbox-aware and would quietly exit if it detected a virtual machine or analysis environment—designed to infect real hosts once and vanish.
Not an isolated play
HiddenLayer tied six additional malicious repos—under another account, “anthfu”—to the same loader and command server; these impostors posed as other popular models (Qwen3, DeepSeek, Bonsai, etc.). The researchers also observed the same infrastructure (a domain called api.eth-fastscan.org) hosting other malicious samples that beacon to a command server. HiddenLayer calls the linkage “possibly linked,” while noting shared infrastructure alone doesn’t prove a single operator.
This is a textbook supply-chain-style social attack against the AI developer community: attackers don’t breach Hugging Face or OpenAI, they publish convincing clones, game the trending algorithm with bots, and rely on developers to run the code. The technique echoes past supply-chain compromises—most notably the 2024 Lottie Player incident that cost at least one user 10 BTC.
What you should do if you ran the files
If you cloned and executed anything from Open-OSS/privacy-filter on a Windows machine, treat the device as fully compromised:
- Do not log into accounts from that machine. Wipe the device and reinstall the OS from trusted media.
- After restoring from a clean device, change all credentials previously stored in browsers (passwords, session cookies, OAuth tokens).
- Assume any wallet seed phrases or keys were stolen—move funds to a new wallet created on a clean device immediately.
- Reset Discord sessions and passwords, and consider any SSH/FTP keys on the machine burned.
Current status and unanswered questions
Hugging Face has removed the malicious repository but has not announced any new measures for screening trending projects. HiddenLayer has confirmed seven malicious repositories in this campaign; how many others were published and removed before detection remains unknown.
Why crypto users should care
This campaign specifically targeted data types that can directly monetize an attacker: wallet seeds and session tokens. In the crypto world, the consequences are immediate and irreversible—funds moved from a compromised wallet are typically gone for good. The incident underscores that developer trust signals (stars, trending lists, copied readmes) can be manipulated, and that even projects tied to reputable organizations can be weaponized by impersonators.
Stay cautious: verify repo provenance, prefer checksums and signatures for binaries, and avoid running unvetted code—especially anything that requests elevated permissions—on machines used to hold sensitive accounts or crypto assets.
Read more AI-generated news on: undefined/news
