Malicious Hugging Face Repository Executes Windows Malware

May 11, 2026 Faeem BLOGS, MICROSOFT 0

Overview A trending Hugging Face repository named “Open‑OSS/privacy‑filter” was discovered hiding malware targeting Windows machines. Before removal, it had amassed 200,000+ downloads, tricking developers by copying OpenAI’s Privacy Filter project to appear legitimate.

Attack Chain

  1. Initial Execution: Users instructed to run startbat (Windows) or loaderpy (Linux/macOS).
  2. Loader Behavior:
    • Disabled SSL verification.
    • Fetched a JSON payload from jsonkeeper[.]com.
    • Extracted the cmd field and executed it silently via PowerShell.
  3. Second Stage: PowerShell downloaded updatebat from api.eth-fastscan[.]org.
    • Added Microsoft Defender exclusions.
    • Dropped payloads into %TEMP%.
    • Created persistence via MicrosoftEdgeUpdateTaskCore scheduled task.
  4. Final Payload: A Rust‑based infostealer (~10 MB).
    • Anti‑analysis checks (debuggers, VMs, sandboxes).
    • Launched eight parallel modules to steal:
      • Browser cookies, saved passwords, session data.
      • SSH keys, VPN configs, FTP credentials.
      • Cryptocurrency wallet files.
      • Screenshots of the victim’s system.
    • Exfiltrated data to recargapopular[.]com via POST requests.

Campaign Scope

  • Repository artificially inflated downloads/likes to trend on Hugging Face.
  • Linked attacker account uploaded six other repositories with near‑identical loader functionality.
  • Infrastructure overlap suggests a coordinated supply chain operation targeting open‑source AI ecosystems.

Defensive Guidance

  • Immediate Isolation: Treat any system that cloned or executed the repo as compromised.
  • Credential Rotation: Reset browser, SSH, VPN, and cloud provider credentials.
  • Token Revocation: Revoke API keys and cloud tokens.
  • System Reimaging: Strongly advised before returning hosts to production.
  • Monitoring: Watch for persistence tasks (MicrosoftEdgeUpdateTaskCore) and outbound traffic to IoCs.

Indicators of Compromise (IoCs)

  • Domains: api.eth-fastscan[.]org, recargapopular[.]com, jsonkeeper[.]com, welovechinatown[.]info.
  • Files: loaderpy, startbat, updatebat, Rust infostealer payload.
  • Scheduled Task: MicrosoftEdgeUpdateTaskCore.
  • File Paths: %TEMP%\update.bat, %TEMP%\runnerps1.

Final Thought

This incident highlights the growing risk of supply chain attacks in open‑source AI ecosystems. By mimicking trusted projects and gaming popularity metrics, attackers weaponize developer trust at scale. For defenders, the lesson is clear: verify repositories, audit loaders, and treat trending projects with skepticism until vetted.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.