A fake OpenAI repository has taken top spot on Hugging Face — but all it does is push infostealer malware

News
By published

Attackers typosquatted an OpenAI repo on HuggingFace

A robot standing thoughtfully in front of a giant digital display with code on it
(Image credit: Getty Images)
  • Attackers typosquatted an OpenAI repo on HuggingFace, distributing an infostealer disguised as a “privacy filter” model
  • The malware disabled SSL checks, escalated privileges, and deployed the sefirah payload to steal credentials, crypto wallets, and system data
  • The fake repo hit 244,000 downloads and briefly topped HuggingFace rankings before removal, with other linked malicious repos also taken down

Cybercriminals were able tp spoof OpenAI products to distribute an infostealer malwar to more than 240,000 computers before being spotted and eliminated, experts have warned.

Security researchers HiddenLayer said they spotted a new repository on HuggingFace called Open-OSS/privacy-filter.

The privacy filter repository is, according to HiddenLayer, a typosquatted version of the official release, which came with a model card that was copied “nearly verbatim”. The loader.py file that was shipped in it fetches and executes an infostealer, they added.

Latest Videos From

Rising to the top

Before dropping the infostealer, the malware first disabled SSL verification, decoded a base64 URL, and from it downloaded a JSON payload with a PowerShell command. This command, in turn, downloaded a batch file that escalated privileges, deployed the ‘sefirah’ payload, added it to Microsoft Defender’s exclusion list, and then ran it.

The infostealer itself does what most infostealers do - grabs data saved in browsers, exfiltrates discord tokens, local databases, and master keys, steals cryptocurrency wallet information, browser extension data, SSH, FTP, VPN credentials, as well as sensitive files stored locally. It can also grab screenshots, exfiltrate system information, and more.

The download count on the fake repository is massive - 244,000 downloads in mere days.

However, this doesn’t mean every download led to an infection. BleepingComputersays the download numbers may have been inflated, and that the repository itself was “liked” by 667 auto-generated accounts. Still, even if it was all fake, the repository still managed to hit #1 on Hugging Face for a brief moment, which definitely could have lead to infections.

However, by following the trail of the fake accounts, HiddenLayer was able to expose other, less-successful repositories, which were also malicious and used the same infrastructure. All of these have since been removed from the platform.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.