“The figures were almost certainly artificially inflated,” HiddenLayer said after security researchers found a malicious repository that had amassed more than 244,000 downloads and 667 likes in under 18 hours on Hugging Face.
HiddenLayer’s May 7 discovery and the typosquat
AI security vendor HiddenLayer identified a repository named Open-OSS/privacy-filter as malicious on May 7, according to the vendor's blog post. The repository presented itself as a near-copy of OpenAI's legitimate Privacy Filter release, even duplicating the model card almost verbatim — a classic typosquatting maneuver intended to mislead users searching for the genuine project.
The six-stage attack chain and execution instructions
HiddenLayer traced the campaign’s execution across six stages. Victims who landed on the malicious repo were directed to clone it and run one of two entry points: start.bat for Windows systems, or python loader.py for Linux and macOS. The Python loader contained a base64-encoded payload which, when decoded, dropped a malicious executable — a Rust-based infostealer.
Capabilities of the Rust-based infostealer and its evasion techniques
The infostealer was built with multiple techniques aimed at avoiding detection and maximizing credential theft. The report explained the malware:
- “hides its use of Windows APIs to defeat static analysis,”
- runs checks to detect debuggers and sandboxes,
- looks for signs it is running in a virtual machine (VirtualBox, VMware, QEMU, Xen), and
- “attempts to disable Windows Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) to evade behavioral detection.”
Functionally, the payload was engineered to harvest a broad range of credentials and session material: browser passwords and session cookies, Discord tokens and master keys, cryptocurrency wallets (including seed phrases and keystores), Telegram sessions, OAuth tokens, SSH keys, FTP credentials (with FileZilla called out specifically), and cloud provider tokens.
HiddenLayer’s mitigation steps — treat the host as fully compromised
HiddenLayer urged any user who cloned the repository and executed start.bat, python loader.py or any other file from the repo to consider the host fully compromised. The vendor’s recommended actions were explicit and immediate:
- “Because the payload is a credential-harvesting infostealer, do not log into anything from the affected host before wiping it,” the vendor explained.
- Isolate the host, then wipe and rebuild it; do not attempt to remediate in place.
- Rotate every credential that was stored in browsers, password managers, or other credential stores on the machine — saved passwords, session cookies, OAuth tokens, SSH keys, FTP credentials and any cloud provider tokens.
- Treat browser sessions as compromised even if passwords were not saved, because stolen session cookies can help threat actors bypass multi-factor authentication.
- Move cryptocurrency funds to a new wallet generated on a clean device and assume seed phrases, keystores and wallet extension data may have been stolen.
- Invalidate Discord sessions and reset Discord passwords because tokens and master keys were explicitly targeted.
- Block the indicators of compromise (IOCs) provided in the report at egress and hunt historical connections to identify other affected hosts.
What this means for technologists, end users, and crypto/Discord users
Technologists and security teams: The campaign underlines the need to treat popular community repositories as part of the AI supply chain risk surface. HiddenLayer’s instruction to block IOCs at egress and hunt historically is a concrete, observable response option aligned to the observed attack chain.
End users and open-source consumers: Anyone who cloned the repo and executed files must assume full compromise; HiddenLayer’s directive — do not log into anything from the affected host before wiping it — is a blunt but necessary stance given the credential-harvesting objective of the payload.
Cryptocurrency holders and Discord users: The malware’s explicit targeting of crypto wallets, seed phrases, and Discord tokens means users of those services named in the report need to rotate secrets, invalidate sessions, and move funds only from clean devices.
Infostealers remain a prolific source of stolen credentials: HiddenLayer cited KELA’s recent data that at least 347 million credentials were originally obtained by infostealers found on roughly 3.9 million infected machines. That metric frames this Hugging Face typosquat not as an isolated stunt but as an instance of a persistent and profitable cybercrime model.
Platforms, researchers and users are left with sharply practical questions: how to spot and limit artificially inflated popularity signals on code-sharing sites, how to harden discovery and vetting workflows for mirrors and model forks, and how quickly operators can block the IOCs and force credential rotation across affected estates. HiddenLayer’s findings provide immediate remediation steps; the broader remedy will require platform-level controls and vigilant operational response.




