244,000 downloads and a #1 trending spot on Hugging Face gave a malicious repository the appearance of trust — but the package hid a Rust-based information stealer that targeted Windows machines.
Open-OSS/privacy-filter repository impersonates OpenAI’s release
A repository named Open-OSS/privacy-filter masqueraded as OpenAI’s legitimate open-weight Privacy Filter (openai/privacy-filter), copying the official model card “nearly verbatim” to lure users, the HiddenLayer Research Team reported. Access to the malicious model has been disabled by Hugging Face after the repository reached the platform’s top trending position with approximately 244,000 downloads and 667 likes within 18 hours — numbers HiddenLayer said were likely artificially inflated to give the project an illusion of trust.
Privacy Filter itself was unveiled in April 2026 by OpenAI as a tool to detect and redact personally identifiable information (PII) from unstructured text. The fake repository instructed users to clone the project and run a provided batch script ("start.bat") for Windows or a Python loader ("loader.py") for Linux and macOS to configure dependencies and start the model.
loader.py and the multi-stage Windows infection chain
HiddenLayer characterized the impersonation succinctly: "The repository had typosquatted OpenAI's legitimate Privacy Filter release, copied its model card nearly verbatim, and shipped a loader.py file that fetches and executes infostealer malware on Windows machines." Once run, the Python loader disabled SSL verification, decoded a Base64-encoded URL hosted on JSON Keeper, and used that URL to extract a command passed to PowerShell.
PowerShell fetched a batch script from api.eth-fastscan[.]org and launched it via "cmd.exe." That batch script functioned as a second-stage downloader that elevated privileges by prompting User Account Control (UAC), configured Microsoft Defender exclusions, downloaded a next-stage binary from the same domain, and created a scheduled task to run a PowerShell script that launched the executable. After the scheduled task executed, the batch script removed itself within two seconds.
Final payload: information stealer with evasion features
The final stage deployed a Rust-based information stealer designed to harvest a broad range of sensitive data. HiddenLayer's analysis says the stealer takes screenshots and extracts data from Discord, cryptocurrency wallets and extensions, system metadata, FileZilla configurations and wallet seed phrases, and web browsers based on the Chromium and Gecko rendering engines. Stolen data was exfiltrated in JSON format to recargapopular[.]com.
To avoid detection, the stealer performs checks for debuggers and sandboxes, ensures it is not running in a virtual machine, and attempts to disable Windows Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW). Despite using a scheduled task, HiddenLayer explained that "this stage establishes no persistence: the task is destroyed before any reboot. It is being used as a one-shot SYSTEM-context launcher."
Related repositories, shared domains, and ties to ValleyRAT infrastructure
Further analysis uncovered six additional repositories that include a similar Python loader designed to deploy the same stealer. HiddenLayer listed them by name:
- anthfu/Bonsai-8B-gguf
- anthfu/Qwen3.6-35B-A3B-APEX-GGUF
- anthfu/DeepSeek-V4-Pro
- anthfu/Qwopus-GLM-18B-Merged-GGUF
- anthfu/Qwen3.6-35B-A3B-Claude-4.6-Opus-Reasoning-Distilled-GGUF
- anthfu/supergemma4-26b-uncensored-gguf-v2
HiddenLayer also observed api.eth-fastscan[.]org serving a different Windows executable ("o0q2l47f.exe") that beacons to welovechinatown[.]info, a command-and-control server previously used in a campaign that delivered ValleyRAT (aka Winos 4.0). Panther, reporting on the earlier campaign, described how a malicious npm package named trevlo used a postinstall hook to run an obfuscated JavaScript loader that spawns a base64-encoded PowerShell command and fetches a second-stage PowerShell script, which in turn downloads and runs a Winos 4.0 stager binary ("CodeRun102.exe") with full evasion.
HiddenLayer concluded that "The shared infrastructure suggests these campaigns are possibly linked and likely part of a broader supply chain operation targeting open-source ecosystems."
What this means for technologists, open-source maintainers, and end users
Technologists and security teams should treat trending model downloads as an additional telemetry signal to validate rather than a substitute for provenance — the incident shows a model card and apparent popularity can be weaponized to deliver multi-stage malware.
Open-source maintainers need to monitor for typosquatting and rapid copy-and-paste replicas of official project documentation; HiddenLayer’s discovery of multiple anthfu-* repositories using the same loader demonstrates how one code pattern can be reused to broaden impact.
End users — especially those running third-party models locally on Windows — must be cautious about executing repository-provided scripts. The chain exposed here involved disabling SSL checks, using JSON Keeper as a dead-drop resolver, and fetching executables from attacker-controlled domains, all steps that convert a clone-and-run convenience into an attack vector.
Hugging Face has disabled access to the malicious repository, but the episode underscores that distribution channels and apparent social proof can be manipulated quickly. The shared-infrastructure links to prior ValleyRAT campaigns raise further questions about whether opportunistic supply-chain techniques will be reused to push other remote-access trojans or information stealers.
Original reporting: https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.html
