OpenAI released Privacy Filter in late April—a small, open-weight model built to detect and automatically redact personally identifiable information from text. It landed on Hugging Face under an Apache 2.0 license and quickly attracted developer interest. Someone noticed.
Within days, a fake account named “Open-OSS” published a near-identical repository called privacy-filter. The model card was copied word for word from OpenAI’s. The only difference in the “readme” file: instructions to clone the repo and run a file called start.bat on Windows, or loader.py on Linux and Mac.
Within 18 hours, the fake repo hit #1 on Hugging Face’s trending page—racking up approximately 244,000 downloads and 667 likes. HiddenLayer, the AI security firm that flagged the campaign, found that 657 of those 667 likes came from accounts matching predictable auto-generated bot-naming patterns.
The download numbers were almost certainly inflated the same way. Manufactured social proof to make the bait look real.
The malware basically worked like a poisoned pill wrapped in a very convincing candy coating. The loader.py script opens with fake model training output—progress bars, synthetic datasets, dummy class names—designed to look like a real AI loader is running.
Under the hood, it quietly disables security checks, pulls an encoded command from a public JSON paste site (a smart trick: no need to update the repository when the payload changes), and passes that command to PowerShell running completely hidden in the background. Windows users see nothing.
That command downloads a second script from a domain mimicking a blockchain analytics API. That script downloads the actual malware—a custom-built infostealer written in Rust—adds it to Windows Defender’s exclusions list, then launches it at SYSTEM-level privileges via a scheduled task that immediately deletes itself after firing. The whole chain runs and cleans up after itself, leaving almost no trace.
The final payload is thorough. It grabs everything stored in Chrome and Firefox—saved passwords, session cookies, browser history, encryption keys, everything. It targets Discord accounts, cryptocurrency wallet seed phrases, SSH keys, FTP credentials, and takes screenshots across all monitors. Then it packages everything as a compressed JSON bundle and ships it to attacker-controlled servers.
There’s no need for us to tell you what the hackers can do with all that information later.
The malware also checks whether it’s running in a virtual machine or a security sandbox, and quits quietly if it detects one. It’s designed to run once on real targets, steal everything, and disappear.
This isn’t an isolated incident. It’s part of a pattern. HiddenLayer identified six additional repositories under a separate Hugging Face account named “anthfu,” uploaded in late April, using the exact same malicious loader pointing to the exact same command server. Those repos impersonated models like Qwen3, DeepSeek, and Bonsai to lure AI developers.
The infrastructure itself—a domain called api.eth-fastscan.org—was also observed hosting a separate malware sample that beacons to a command server. HiddenLayer believes the connection between the two campaigns is “possibly linked” and cautions that shared infrastructure alone doesn’t confirm a single operator.
This is what a supply chain attack against the AI developer community looks like. The attacker doesn’t break into OpenAI or Hugging Face. They just publish a convincing lookalike, game the trending algorithm with bots, and wait for developers to do the rest. A similar playbook hit the Lottie Player JavaScript library in 2024, costing one user 10 Bitcoin (worth over $700,000 at the time).
If you cloned Open-OSS/privacy-filter on a Windows machine and ran any file from it, you should treat the device as fully compromised. Don’t log into anything from that machine before wiping it.
After that, change all the credentials that were stored in your browser—passwords, session cookies, OAuth tokens. Move any crypto funds to a new wallet generated on a clean device ASAP and assume seed phrases were stolen.
Since it also gets your Discord information, and that service is heavily automated, you should invalidate your Discord sessions and reset that password. Any SSH keys or FTP credentials on that machine should be considered burned.
The repository is now removed. Huggingface has not disclosed what, if any, additional screening measures it plans to implement for trending repositories.
As of now, seven confirmed malicious repositories from this campaign have been identified. How many more exist—or existed before being detected—remains unknown.
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
Read the full article here
Verify the accuracy of this article using AI-powered analysis and real-time sources.
Enter your email to receive detailed fact-checking analysis
You've used your 5 free reports. Sign up for unlimited access!
Already have an account? Sign in here
The FSNN News Room is the voice of our in-house journalists, editors, and researchers. We deliver timely, unbiased reporting at the crossroads of finance, cryptocurrency, and global politics, providing clear, fact-driven analysis free from agendas.
We and our selected partners wish to use cookies to collect information about you for functional purposes and statistical marketing. You may not give us your consent for certain purposes by selecting an option and you can withdraw your consent at any time via the cookie icon.
Cookies are small text that can be used by websites to make the user experience more efficient. The law states that we may store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies, we need your permission. This site uses various types of cookies. Some cookies are placed by third party services that appear on our pages.
Freedom Index