LIVE FEED
HIGH Malware Embeds Policy-Triggering Text to Evade LLM-Based Security Scanners // FIRST LOOK First Look: OpenAI Launches Jalapeño Custom Inference Chip Built with Broadcom // FIRST LOOK First Look: Google DeepMind Publishes Six-Category Taxonomy of AI Agent Traps // FIRST LOOK First Look: Agentic AI SOC Systems Ship Autonomous Decision-Making at Machine Speed // FIRST LOOK First Look: MoEngage Acquires Aampe to Deploy Millions of Autonomous AI Marketing Agents // FIRST LOOK First Look: Dragos Launches EmberAI, an OT-Specific AI Security Intelligence Platform // FIRST LOOK First Look: Mistral AI Ships OCR 4 with Structured Document Extraction for RAG Pipelines // HIGH Malicious Pull Requests Compromise AI and Developer Toolchains via CI/CD Flaws // CRITICAL Anthropic's Mythos AI Breached Classified US Government Systems in Hours // FIRST LOOK Cisco and NVIDIA AI Agent Skill Scanners Bypassed by Fake Marketplace Skill //
ATLAS OWASP CRITICAL Active exploitation · Immediate action required Supply Chain Industry News LLM Security RELEVANCE ▲ 8.5

Typosquatted OpenAI Repo on Hugging Face Delivered Rust Infostealer to 244K Users

SOURCE The Hacker News ↗
TL;DR CRITICAL
  • What happened: Fake OpenAI model repo on Hugging Face delivered a Rust infostealer to 244,000 downloaders.
  • Who's at risk: AI/ML practitioners and developers who downloaded or executed the typosquatted Open-OSS/privacy-filter repository on Windows machines are directly exposed.
  • Act now: Audit any usage of Open-OSS/privacy-filter and treat affected systems as fully compromised · Verify Hugging Face repository provenance by checking namespace and commit history before execution · Rotate browser credentials, cryptocurrency wallet keys, and Discord tokens on any affected machine
Typosquatted OpenAI Repo on Hugging Face Delivered Rust Infostealer to 244K Users

Overview

A threat actor successfully typosquatted OpenAI’s legitimate openai/privacy-filter model on Hugging Face, publishing a near-identical repository under the namespace Open-OSS/privacy-filter. The malicious project copied the official model card verbatim, rode the legitimate product’s launch momentum, and reached the platform’s trending list — accumulating 244,000 downloads before Hugging Face disabled access. Privacy Filter is an OpenAI open-weight model released in April 2026 to detect and redact PII from unstructured text, making it a high-value impersonation target for developers integrating privacy tooling into production pipelines.

Technical Analysis

The attack chain is multi-stage and deliberately obfuscated:

  1. Initial Execution: Users are instructed to clone the repository and run start.bat (Windows) or loader.py (Linux/macOS). On Windows, loader.py disables SSL verification, decodes a Base64-encoded URL stored on JSON Keeper (a public JSON paste service used as a dead-drop resolver), and retrieves a PowerShell command.

  2. Dead-Drop Resolver: Using JSON Keeper decouples the payload URL from the repository, allowing operators to hot-swap malware without touching the repo — evading static repository scanning.

  3. Second-Stage Downloader: PowerShell downloads a batch script from api.eth-fastscan[.]org, which:

    • Elevates privileges via a UAC prompt
    • Configures Microsoft Defender exclusions
    • Downloads the next-stage binary from the same domain
    • Establishes a scheduled task to launch a PowerShell-executed binary as SYSTEM

  4. Infostealer Payload (Rust-based):

    • Captures screenshots
    • Harvests credentials from Chromium and Gecko browsers
    • Exfiltrates Discord tokens, cryptocurrency wallet data and extensions, FileZilla configs, and wallet seed phrases
    • Checks for debuggers, sandboxes, and virtual machines
    • Disables AMSI and ETW to evade behavioural detection
    • Operates as a one-shot SYSTEM-context launcher; the scheduled task self-destructs before reboot, leaving no persistence artefact

The ephemeral persistence model suggests the operators prioritise stealth and rapid exfiltration over long-term access.

Framework Mapping

  • AML.T0010 – ML Supply Chain Compromise: The attack directly targets the ML model distribution pipeline via a trojanised repository on a major model-sharing platform.
  • AML.T0019 – Publish Poisoned Datasets/Models: The repository mimics a legitimate model release to introduce malicious code into the consumer’s environment.
  • LLM05 – Supply Chain Vulnerabilities: Hugging Face serves as the distribution vector; the attack exploits weak namespace governance and trending mechanics to amplify reach.

Impact Assessment

With 244,000 downloads, the potential victim pool is large and skewed toward security-conscious developers — precisely those who would adopt a PII-filtering tool. Compromised assets include browser-stored credentials, cryptocurrency holdings, and Discord accounts. The SYSTEM-level execution context means any machine that ran the payload should be considered fully compromised. The self-deleting task complicates forensic investigation, as traditional persistence indicators will be absent.

Mitigation & Recommendations

  • Immediate: Treat any system that executed Open-OSS/privacy-filter artefacts as compromised. Isolate, image, and rebuild.
  • Credential Rotation: Rotate all browser-stored passwords, cryptocurrency wallet keys, and Discord tokens from affected machines.
  • Repository Vetting: Before cloning any Hugging Face repository, verify the exact namespace matches the official vendor account. Check model card edit history for anomalies.
  • Execution Policy: Never run batch or Python setup scripts from model repositories without code review, particularly those requesting elevated privileges.
  • Platform Controls: Organisations should implement allowlists for approved Hugging Face namespaces in CI/CD pipelines and restrict unapproved model downloads in developer environments.

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.