Malware Discovered in Typosquatted Hugging Face Repository Impersonating OpenAI

Severity: High (Score: 72.0)

Sources: www.hiddenlayer.com, Bleepingcomputer

Summary

On May 7, 2026, researchers identified malware in the Hugging Face repository Open-OSS/privacy-filter, which had impersonated OpenAI's legitimate Privacy Filter project. The malicious repository reached #1 on the platform, accumulating 244,000 downloads before being removed. It contained a loader.py file that executed infostealer malware on Windows systems. The attack involved typosquatting, copying model cards, and using a command-and-control channel to fetch and execute malicious payloads. Users who interacted with the repository are advised to treat their systems as compromised and take immediate security measures, including reimaging affected machines and rotating credentials. The malware features extensive anti-analysis capabilities, complicating detection efforts. The incident highlights ongoing threats to AI model repositories despite existing security measures. Key Points: • A malicious repository on Hugging Face impersonated OpenAI's Privacy Filter, reaching 244,000 downloads. • The malware executed via a loader.py script that fetched infostealer payloads on Windows systems. • Users are urged to reimage affected machines and rotate all stored credentials immediately.

Key Entities

• Malware (attack_type)
• Supply Chain Attack (attack_type)
• WinOS 4.0 Implant (malware)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1053 - Scheduled Task/Job (mitre_attack)
• T1059.001 - PowerShell (mitre_attack)
• T1059.003 - Windows Command Shell (mitre_attack)
• T1071 - Application Layer Protocol (mitre_attack)
• Hugging Face (tool)
• PowerShell (tool)
• Linux (platform)
• MacOS (platform)
• Windows (platform)
• 6d5b1b7b9b95f2074094632e3962dc21432c2b7dccfbbe2c7d61f724ffcfea7c (sha256)
• c1b59cc25bdc1fe3f3ce8eda06d002dda7cb02dea8c29877b68d04cd089363c7 (sha256)