Fake OpenAI Privacy Filter Tops Hugging Face, 244K Downloads

A malicious repository on Hugging Face briefly climbed to the top of the platform’s trending charts by impersonating OpenAI’s Privacy Filter open-weight model, ultimately delivering a Rust-based information stealer to Windows users. The project, identified as Open-OSS/privacy-filter, copied the entire description from OpenAI’s legitimate release (openai/privacy-filter) verbatim, tricking unsuspecting users into downloading it. Hugging Face has since disabled access to the malicious model.

OpenAI unveiled Privacy Filter in April 2026 as a tool to detect and redact personally identifiable information (PII) in unstructured text, aiming to embed strong privacy and security protections into applications. However, HiddenLayer’s Research Team revealed in a report last week that the fake repository “typosquatted OpenAI’s legitimate Privacy Filter release, copied its model card nearly verbatim, and shipped a loader.py file that fetches and executes infostealer malware on Windows machines.”

The malicious project instructed users to clone the repository and run a batch script (“start.bat”) on Windows or a Python script (“loader.py”) on Linux or macOS to configure dependencies and start the model. Once executed, the Python script triggered malicious code that disabled SSL verification, decoded a Base64-encoded URL hosted on JSON Keeper, and extracted a command passed to PowerShell for further execution. The use of JSON Keeper, a public JSON paste service, as a dead drop resolver allowed attackers to switch payloads on the fly without modifying the repository.

The PowerShell command downloaded a batch script from a remote server (“api.eth-fastscan[.]org”) and launched it via “cmd.exe.” This batch script acted as a second-stage downloader, elevating privileges through a User Account Control (UAC) prompt, configuring Microsoft Defender Antivirus exclusions, downloading the next-stage binary from the same domain, and setting up a scheduled task to run the executable via a PowerShell script. Once the scheduled task launched, the malware waited two seconds before deleting itself.

The final stage was an information stealer designed to take screenshots and harvest data from Discord, cryptocurrency wallets and extensions, system metadata, files like FileZilla configurations and wallet seed phrases, and web browsers based on Chromium and Gecko rendering engines. “Despite using a scheduled task, this stage establishes no persistence: the task is destroyed before any reboot. It is being used as a one-shot SYSTEM-context launcher,” HiddenLayer explained.

The stealer also ran checks to detect debuggers and sandboxes, ensured it was not running in a virtual machine, and attempted to disable Windows Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) to evade behavioral detection. Stolen data was exfiltrated in JSON format to the domain “recargapopular[.]com.”

Before being disabled, the model reached the #1 trending position on Hugging Face with approximately 244,000 downloads and 667 likes within 18 hours. HiddenLayer suspects these numbers were artificially inflated to create an illusion of trust and lure users into downloading it.

Further analysis uncovered six additional repositories featuring a similar Python loader to deploy the stealer: anthfu/Bonsai-8B-gguf, anthfu/Qwen3.6-35B-A3B-APEX-GGUF, anthfu/DeepSeek-V4-Pro, anthfu/Qwopus-GLM-18B-Merged-GGUF, anthfu/Qwen3.6-35B-A3B-Claude-4.6-Opus-Reasoning-Distilled-GGUF, and anthfu/supergemma4-26b-uncensored-gguf-v2.

HiddenLayer also observed the domain “api[.]eth-fastscan[.]org” serving a different Windows executable (“o0q2l47f.exe”) that beaconed out to “welovechinatown[.]info,” a command-and-control (C2) server previously used in a campaign where a malicious npm package named trevlo delivered ValleyRAT (aka Winos 4.0). The Node.js library was downloaded over 2,300 times after being published by a user named “titaniumg” on April 4, 2026, though the download count may have been artificially boosted. The package is no longer available on npm.

“The package’s postinstall hook silently executes an obfuscated JavaScript loader that spawns a base64-encoded PowerShell command, which in turn fetches and executes a second-stage PowerShell script from attacker-controlled infrastructure,” Panther noted last month. “That script downloads and runs a Winos 4.0 stager binary (‘CodeRun102.exe’) with full evasion, complete with hidden window execution, Zone Identifier removal, and process detachment.”

This attack is notable for representing a new initial access vector for ValleyRAT, a modular remote access trojan typically distributed via phishing emails and search engine optimization (SEO) poisoning. ValleyRAT’s use is exclusively attributed to the Chinese hacking group Silver Fox. “The shared infrastructure suggests these campaigns are possibly linked and likely part of a broader supply chain operation targeting open-source ecosystems,” HiddenLayer concluded.