The malicious Open-OSS/privacy-filter repository on the Hugging Face platform, masquerading as the legitimate OpenAI Privacy Filter model, was used to deliver a Rust-based information stealer targeting Windows users. According to the research team at HiddenLayer, the attackers copied the description of the legitimate model almost verbatim and used typosquatting to trick developers. The repository has already been blocked by the platform, but the incident affects a broad range of users working with open machine learning models and illustrates the growing threat of supply chain attacks in the AI ecosystem.
Attack mechanism: from cloning to exfiltration
The legitimate Privacy Filter model was introduced by OpenAI in April 2026 as a tool for detecting and redacting personally identifiable information (PII) in unstructured text. The attackers capitalized on its popularity by creating a look-alike repository under the Open-OSS account.
The infection chain started with instructions to clone the repository and run the batch script start.bat (for Windows) or the Python script loader.py (for Linux/macOS). According to the researchers, the Python loader carried out the following actions:
- Disabled SSL certificate verification
- Decoded a Base64-encoded URL hosted on the JSON Keeper service
- Extracted a command and passed it to PowerShell for execution
The use of JSON Keeper — a public service for hosting JSON data — as an intermediate resolver allowed the attackers to change the payload without modifying the repository itself. This significantly complicates static analysis and blocking.
Multi-stage payload delivery
The PowerShell command downloaded a batch script from the remote server api.eth-fastscan[.]org and executed it via cmd.exe. This second-stage script prepared the environment:
- Requested privilege escalation via a UAC prompt
- Configured exclusions in Microsoft Defender Antivirus
- Downloaded the next-stage binary from the same domain
- Created a scheduled task to run a PowerShell script that executed the downloaded file
As noted by HiddenLayer researchers, the scheduled task was used as a one-time launch mechanism in the SYSTEM context — the task was deleted before reboot and did not provide persistence.
Final payload: information stealer
The final component — an information stealer — targeted a wide range of data:
- Screenshots
- Discord data
- Cryptocurrency wallets and browser extensions
- System metadata
- FileZilla configurations and wallet seed phrases
- Browser data from Chromium- and Gecko-based browsers
The stealer included analysis-evasion mechanisms: debugger and sandbox detection, virtual machine checks, as well as attempts to disable AMSI (Windows Antimalware Scan Interface) and ETW (Event Tracing for Windows). The stolen data was exfiltrated in JSON format to the domain recargapopular[.]com.
Campaign scale and related repositories
In addition to the main repository, HiddenLayer researchers discovered six additional repositories on Hugging Face with a similar Python loader, all under the anthfu account:
- anthfu/Bonsai-8B-gguf
- anthfu/Qwen3.6-35B-A3B-APEX-GGUF
- anthfu/DeepSeek-V4-Pro
- anthfu/Qwopus-GLM-18B-Merged-GGUF
- anthfu/Qwen3.6-35B-A3B-Claude-4.6-Opus-Reasoning-Distilled-GGUF
- anthfu/supergemma4-26b-uncensored-gguf-v2
The names of these repositories imitate popular open models, pointing to a systematic typosquatting approach within the Hugging Face ecosystem.
Possible link to ValleyRAT campaigns
The researchers also observed that the domain api.eth-fastscan[.]org was used to distribute another executable — o0q2l47f.exe — which communicated with the command-and-control server welovechinatown[.]info. According to research by Panther, this same C2 server previously appeared in a campaign leveraging the malicious npm package trevlo, which delivered ValleyRAT (also known as Winos 4.0) via a multi-stage PowerShell dropper.
It should be emphasized that the link between the Hugging Face campaign and ValleyRAT activity is based on overlapping infrastructure and represents the researchers’ analytical assessment, not confirmed attribution. HiddenLayer suggests that the shared infrastructure may indicate a broader operation targeting supply chains in open ecosystems.
Impact assessment
Developers and researchers working with open machine learning models and downloading them from Hugging Face without thorough source verification face the highest risk. Compromise can lead to the leakage of credentials, cryptocurrency assets, server configurations, and browser data — both personal and corporate.
The incident highlights the vulnerability of platform trust models for distributing ML models: repository popularity (number of downloads and likes) can be artificially inflated, creating a false impression of legitimacy.
Recommendations
- Verify the model source: before downloading, make sure the repository belongs to the official organization (for example, openai/privacy-filter), and not to an account with a similar name
- Analyze repository contents: check for suspicious files (loader.py, start.bat) and scripts that download from external servers or disable SSL verification
- Block indicators of compromise at the network infrastructure level: domains api.eth-fastscan[.]org, recargapopular[.]com, welovechinatown[.]info; SHA-256 hash:
c1b59cc25bdc1fe3f3ce8eda06d002dda7cb02dea8c29877b68d04cd089363c7 - Monitor attempts to disable AMSI and ETW on endpoints — this is a characteristic marker of this infection chain
- Use isolated environments (containers, virtual machines) to test any downloaded models before deploying them into production infrastructure
- Perform retrospective analysis for connections to the listed domains if your organization has downloaded models from Hugging Face in recent weeks
Organizations using models from Hugging Face should immediately review their download history for the presence of the listed malicious repositories and scan endpoints for the specified indicators of compromise. Implementing a policy of mandatory source verification and running models only in isolated environments is the minimum required measure to protect against supply chain attacks in the machine learning ecosystem.
