Fake OpenAI Privacy Filter Repo Delivers Rust Infostealer via Hugging Face

May 11, 2026 Faeem BLOGS 0

Overview A malicious Hugging Face repository named Open‑OSS/privacy‑filter impersonated OpenAI’s legitimate Privacy Filter model to deliver a Rust‑based information stealer targeting Windows users. Before removal, the repo reached the #1 trending position with 244,000 downloads and 667 likes in just 18 hours, numbers likely inflated to boost visibility.

Attack Chain

  • Typosquatting: Repo copied OpenAI’s model card verbatim to appear authentic.
  • Execution Instructions: Users told to run start.bat (Windows) or loader.py (Linux/macOS).
  • Loader.py Behavior:
    • Disabled SSL verification.
    • Fetched a Base64‑encoded URL from JSON Keeper.
    • Passed extracted command to PowerShell for execution.
  • Second Stage: PowerShell downloaded update.bat from api.eth-fastscan[.]org.
    • Elevated privileges via UAC prompt.
    • Added Microsoft Defender exclusions.
    • Downloaded next‑stage binary.
    • Created scheduled task (MicrosoftEdgeUpdateTaskCore) to launch payload.
  • Final Payload: Rust‑based infostealer.
    • Stole Discord data, crypto wallets, FileZilla configs, browser credentials.
    • Took screenshots and exfiltrated data to recargapopular[.]com.
    • Evaded detection by disabling AMSI and ETW, checking for VMs/sandboxes.

Broader Campaign

  • HiddenLayer linked attacker infrastructure to six other malicious repos uploaded under the same account:
    • anthfu/Bonsai-8B-gguf
    • anthfu/Qwen3.6-35B-A3B-Apex-GGUF
    • anthfu/DeepSeek-V4-Pro
    • anthfu/Qwopus-GLM-18B-Merged-GGUF
    • anthfu/Qwen3.6-35B-A3B-Claude-4.6-Opus-Reasoning-Distilled-GGUF
    • anthfu/supergemma4-26b-uncensored-gguf-v2
  • Shared infrastructure overlaps with ValleyRAT (Winos 4.0) campaigns attributed to Chinese group Silver Fox, previously spread via npm package trevlo.

Why It Matters

This incident highlights a new supply chain vector: malicious repos typosquatting legitimate AI projects to deliver malware. By inflating popularity metrics, attackers weaponize trust in trending open‑source projects to reach thousands of unsuspecting developers.

Defensive Guidance

  • Treat any system that cloned or executed Open‑OSS/privacy‑filter as compromised.
  • Immediate Actions:
    • Isolate affected hosts.
    • Rotate all credentials (browser, SSH, VPN, cloud tokens).
    • Revoke API keys.
    • Reimage systems before reuse.
  • Monitor for IoCs:
    • Domains: api.eth-fastscan[.]org, recargapopular[.]com, welovechinatown[.]info.
    • Scheduled task: MicrosoftEdgeUpdateTaskCore.
    • File paths: %TEMP%\update.bat, %TEMP%\runnerps1.

Final Thought

The fake Privacy Filter repo shows how attackers exploit open‑source trust and AI hype. Developers must verify sources before cloning trending projects. For defenders, the lesson is clear: supply chain security now extends to AI model repositories — popularity is not proof of safety.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.