Why the Hugging Face Infostealer Wasn't a Surprise (And What We're Still Missing)
We continue to see malicious packages infiltrate public repositories, from npm and PyPI to now, Hugging Face. A recent Hugging Face infostealer incident, the "Open-OSS/privacy-filter" attack identified by HiddenLayer researchers on May 7, 2026, revealed a common attack vector: the exploitation of implicit trust and platform mechanics within public repositories. This fake repository, impersonating OpenAI's legitimate "Privacy Filter" project, quickly became the #1 trending item. It accumulated an estimated 244,000 downloads and 667 likes in under 18 hours. This rapid traction, even if artificially inflated, demonstrates how quickly a malicious actor can gain reach.
The Hugging Face infostealer incident quickly became a topic of intense discussion across security communities, where its mechanics were rapidly dissected. This incident, like others before it, prompts a critical question: why do such vulnerabilities persist? Discussions point to the inherent risks of executable code within model repositories, including long-standing concerns around "pickle" files. The recurrence of such attacks underscores the ongoing challenge of implementing robust security practices and effective scanning tools within public repositories.
The Chain: How a Fake AI Model Becomes an Infostealer
The attack unfolded in a series of calculated steps, revealing the sophisticated nature of this Hugging Face infostealer campaign:
The Lure
An unsuspecting developer navigates to huggingface[.]co/Open-OSS/privacy-filter. The repository's model card was a near-verbatim copy of OpenAI's real project, lending it immediate legitimacy. The README instructed users to clone the repository and execute start.bat (for Windows) or python loader.py (for Linux/macOS).
The Python Dropper (loader.py)
Executing loader.py first runs deceptive AI-related code—a DummyModel class, synthetic dataset, and fake training output. This code was designed to appear legitimate and distract from the malicious activity. In the background, the script disables SSL verification, decodes a base64 URL (https[://]jsonkeeper[.]com/b/AVNNE), and fetches a JSON payload. The cmd field from that JSON is then passed directly to PowerShell. Any failures here are silent, thanks to a bare except block. This jsonkeeper[.]com URL functions as a C2 channel, allowing attackers to rotate payloads. This aligns with MITRE ATT&CK technique T1105 (Ingress Tool Transfer).
Hidden PowerShell Execution
The fetched command runs via powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command <cmd>. The WindowStyle Hidden and creationflags=0x08000000 (CREATE_NO_WINDOW) flags ensure no visible window appears. This stage is Windows-only, leveraging T1059.001 (PowerShell) for execution.
Second-Stage Downloader
The PowerShell command downloads update.bat from https[://]api.eth-fastscan[.]org/update.bat to %TEMP%\update.bat. The domain eth-fastscan[.]org mimics a blockchain analytics API, adding another layer of perceived legitimacy. It then launches update.bat using cmd.exe /k, which leaves a cmd.exe process as an indicator for forensic analysis.
The update.bat Script
This batch file proceeds to the next critical stages of the attack.
- It first checks for administrator privileges and attempts to self-elevate using
cacls.exeandStart-Process -Verb RunAs, a common tactic for T1548.002 (Bypass User Account Control). - It then downloads the final payload, `sefirah`, from
https[://]api.eth-fastscan[.]org/sefirahto a randomly named.exefile in%TEMP%,%LOCALAPPDATA%, or%APPDATA%. - To facilitate evasion and persistence, it adds the payload executable to Microsoft Defender's exclusion list, a form of T1562.001 (Disable or Modify Tools).
- It generates a runner script (
%TMP%\runner.ps1) to execute the binary. - It abuses scheduled tasks, creating one named
MicrosoftEdgeUpdateTaskCore[a-z0-9]{8}set to run the runner script as SYSTEM on startup with highest privileges. This leverages T1053.005 (Scheduled Task/Job). - Finally, it triggers the task immediately, waits two seconds, and then deletes the task. This means no persistence is established via the task itself; it's solely a one-shot SYSTEM-context launcher.
The Infostealer (sefirah)
This is the final Rust-based payload, a 1.07 MB executable packed with anti-analysis features. It obfuscates Windows APIs, detects debuggers, sandboxes, and virtual machines (VirtualBox, VMware, QEMU, Xen). It even attempts to disable Windows Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW), further demonstrating T1562.001 (Disable or Modify Tools).
- Once active, it collects data in parallel: browser data (cookies, passwords, encryption keys, session tokens) from Chromium and Gecko browsers, Discord tokens and master keys, cryptocurrency wallets and browser extensions, SSH, FTP, and VPN credentials (including FileZilla), sensitive local files, and multi-monitor screenshots. This is a clear example of T1555 (Credential Access) and T1119 (Automated Collection).
- All this stolen data is compressed into a JSON payload and exfiltrated via WinHTTP to the C2 server,
recargapopular[.]com, using a Bearer authorization header. This aligns with T1041 (Exfiltration Over C2 Channel).
The Real Impact: Beyond the Downloads
Users who downloaded and ran this code face severe consequences: their machines are compromised. This extends beyond the loss of a few passwords, encompassing a complete compromise of digital identity and potentially financial assets. The infostealer targets everything from browser sessions to crypto wallets and SSH keys.
The fact that this Hugging Face infostealer repository reached #1 trending with inflated metrics indicates a significant gap in how these platforms are monitored. Relying solely on post-incident takedowns is insufficient. By the time HiddenLayer researchers identified the malicious code on May 7, 2026, and Hugging Face removed it on May 8, 2026, thousands of users had already been affected.
This incident also shows overlap with an npm typosquatting campaign distributing a Windows-targeting implant, suggesting shared tooling or coordination among threat actors, highlighting a persistent threat in the software supply chain.
What We're Still Getting Wrong (And How to Fix It)
Hugging Face removed the Hugging Face infostealer repository quickly once alerted, a necessary response that nonetheless addresses the incident post-compromise rather than proactively preventing it. The core issue is that the AI model supply chain, especially on platforms hosting executable code alongside models, operates on an implicit trust model that attackers consistently exploit.
The current landscape necessitates a shift towards a zero-trust model for AI dependencies. Expecting users to manually inspect every loader.py or start.bat in a trending repository is neither scalable nor realistic.
Any repository containing executable scripts—Python files, shell scripts, or complex setup.py files—should undergo mandatory, automated sandboxed execution review before it can achieve significant visibility or trending status. This involves running the code in an isolated environment, monitoring its behavior, and flagging suspicious activities like disabling SSL verification, downloading external binaries, or attempting privilege escalation. Tools like Mandiant's CAPE sandbox or Cuckoo Sandbox, integrated into platform pipelines, can provide this dynamic analysis.
New accounts, particularly those pushing repositories that quickly gain traction, also require a higher bar for verification, such as mandatory multi-factor authentication, identity verification, or manual review for new accounts that rapidly gain traction. The 667 auto-generated likes on this fake repository should have triggered an immediate review. Platforms could implement behavioral analytics to detect anomalous engagement patterns, similar to how social media platforms identify bot networks.
Attackers are employing anti-analysis features and payload rotation. Simple static analysis or signature-based scanning is no longer sufficient. To counter attackers' use of anti-analysis features and payload rotation, platforms must integrate dynamic analysis and behavioral monitoring into their security pipelines. This means moving beyond basic hash checks to observe runtime behavior and API calls, identifying deviations from expected model loading processes to detect such Hugging Face infostealer campaigns.
Beyond platform-level changes, developers also need better education on supply chain risk, specifically through practical training on identifying malicious patterns, understanding the implications of disabling SSL verification, and the inherent risks of executing untrusted scripts. Awareness of the full attack chain, the dangers of disabling SSL verification, and the risks of running scripts from untrusted sources is critical.
For anyone who downloaded `Open-OSS/privacy-filter` or any of the `anthfu` repositories (like `anthfu/Bonsai-8B-gguf` or `anthfu/DeepSeek-V4-Pro`), immediate and drastic action is paramount. Your machine must be reimaged, not merely cleaned, as full compromise should be assumed.
Every single stored credential—from browser passwords and password managers to SSH keys, FTP credentials, cloud tokens, and Discord passwords—must be rotated. Furthermore, assume all browser sessions are compromised and invalidate them. If cryptocurrency funds were on the device, move them to a new wallet generated on a clean device, as seed phrases and keys are likely compromised.
The 'Open-OSS/privacy-filter' Hugging Face infostealer incident highlights a critical deficiency: the current security posture for AI model repositories is inadequate. We cannot continue to address individual malicious packages reactively. Systemic changes are required to embed security into the platform's core, shifting from reactive incident response to proactive threat prevention and detection. The tangible cost of implicit trust in executable code within these repositories demands a direct address of this vulnerability.
