A fake OpenAI repository has taken the top spot on Hugging Face – but it's just spreading infostealer malware

A robot standing thoughtfully in front of a giant digital screen with code on it — (Image credit: Getty Images)

Attackers typosquatted an OpenAI repository on HuggingFace, distributing an information stealer disguised as a ‘privacy filter’ template
The malware disabled SSL checks, escalated privileges and deployed the sefirah payload to steal credentials, crypto wallets and system data
The fake repository reached 244,000 downloads and briefly topped the HuggingFace rankings before its removal, while other related malicious repositories were also removed.

Cybercriminals successfully spoofed OpenAI products to distribute infostealer malware to more than 240,000 computers before being detected and eliminated, experts have warned.

Security researchers HiddenLayer said they spotted a new repository on HuggingFace called Open-OSS/privacy-filter.

The privacy filter repository is, according to HiddenLayer, a typosquatted version of the official version, accompanied by a model card copied “almost verbatim”. The loader.py file provided there fetches and runs an infostealer, they added.

Climb to the top

Before removing the infostealer, the malware first disabled SSL checking, decoded a base64 URL, and from it downloaded a JSON payload with a PowerShell command. This command, in turn, downloaded a batch file that escalated privileges, deployed the “sefirah” payload, added it to Microsoft Defender’s exclusion list, and then executed it.

The infostealer itself does what most infostealers do: scrapes data saved in browsers, exfiltrates Discord tokens, local databases and master keys, steals cryptocurrency wallet information, browser extension data, SSH, FTP, VPN credentials, as well as locally stored sensitive files. It can also recover screenshots, exfiltrate system information, etc.

The number of downloads on the fake repository is enormous: 244,000 downloads in just a few days.

However, this does not mean that every download results in an infection. BeepComputersays that download numbers may have been inflated and that the repository itself was “liked” by 667 auto-generated accounts. Yet even if everything was fake, the repository still managed to reach the top spot on Hugging Face for a brief moment, which certainly could have led to infections.

Sign up for the TechRadar Pro newsletter to get all the top news, opinions, features and tips your business needs to succeed!

However, by tracking the fake accounts, HiddenLayer was able to discover other, less efficient repositories that were also malicious and used the same infrastructure. All of these have since been removed from the platform.

Google logo on black background next to the text “Click to follow TechRadar”

Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). During his career, which spans more than a decade, he has written for numerous media outlets, including Al Jazeera Balkans. He has also hosted several modules on content writing for Represent Communications.