Fake OpenAI Repo Tops Hugging Face, Installs Password-Stealer

A repository impersonating OpenAI’s Privacy Filter reached Hugging Face’s No. 1 trending spot and, after roughly 244,000 downloads in under 18 hours, installed malware that stole browser passwords, Discord tokens, cryptocurrency wallet seed phrases and SSH keys.

The repo was published by an account named “Open-OSS” and copied OpenAI’s model card and readme almost verbatim. The repository instructed users to run start.bat on Windows or loader.py on Linux and macOS. The AI security firm that flagged the campaign found the repo had 667 likes, 657 of which matched automated account naming patterns, and said the download counts were likely inflated by similar fake accounts.

Analysis of the files shows a multi-stage loader designed to appear legitimate. The loader.py script displayed fake model training output while disabling security checks, fetching an encoded command from a public JSON paste site and passing that command to a hidden PowerShell process on Windows. That command downloaded a second script from a domain impersonating a blockchain analytics API. The second script retrieved a Rust-based infostealer, added the malware to Windows Defender exclusions, scheduled it to run with SYSTEM privileges, then removed the installer and other traces.

Once active, the infostealer harvested saved credentials and secrets from Chrome and Firefox, including passwords, session cookies and browser encryption keys. It extracted Discord session tokens, cryptocurrency wallet seed phrases and private keys, and SSH and FTP credentials. The malware took screenshots across monitors, compressed the collected data into a JSON bundle and sent it to attacker-controlled servers. It was programmed to detect virtual machines and sandboxes and to exit quietly if one was found.

Researchers identified six additional malicious repositories uploaded by an account named “anthfu” in late April that used the same loader and pointed to the same command server. The shared infrastructure included a domain, api.eth-fastscan.org, that hosted another malware sample observed beacons to a command server. Researchers noted that shared infrastructure can indicate links between campaigns but does not prove a single operator. In total, seven malicious repositories tied to this campaign have been confirmed; more copies may have existed or been removed before detection.

Users who cloned Open-OSS/privacy-filter on a Windows machine and ran any file from it should treat the device as fully compromised. Affected users are advised not to log into accounts from the infected machine and to wipe the device before reuse. After reinstalling, users should change all passwords and OAuth tokens stored in browsers, invalidate Discord sessions and reset passwords, replace any SSH or FTP keys that were on the machine, and move cryptocurrency funds to a new wallet created on a clean device.

Hugging Face removed the malicious repository. The company has not announced additional screening measures for trending repositories.