Fake OpenAI Repo Hit #1 on Hugging Face—And Stole Passwords While It Trended

Within days, a fake account named "Open-OSS" published a near-identical repository called privacy-filter. The model card was copied word for word from OpenAI's. The only difference in the “readme” file: instructions to clone the repo and run a file called start.bat on Windows, or loader.py on Linux and Mac.

The download numbers were almost certainly inflated the same way. Manufactured social proof to make the bait look real.

The malware basically worked like a poisoned pill wrapped in a very convincing candy coating. The loader.py script opens with fake model training output—progress bars, synthetic datasets, dummy class names—designed to look like a real AI loader is running.

Under the hood, it quietly disables security checks, pulls an encoded command from a public JSON paste site (a smart trick: no need to update the repository when the payload changes), and passes that command to PowerShell running completely hidden in the background. Windows users see nothing.

That command downloads a second script from a domain mimicking a blockchain analytics API. That script downloads the actual malware—a custom-built infostealer written in Rust—adds it to Windows Defender's exclusions list, then launches it at SYSTEM-level privileges via a scheduled task that immediately deletes itself after firing. The whole chain runs and cleans up after itself, leaving almost no trace.

The final payload is thorough. It grabs everything stored in Chrome and Firefox—saved passwords, session cookies, browser history, encryption keys, everything. It targets Discord accounts, cryptocurrency wallet seed phrases, SSH keys, FTP credentials, and takes screenshots across all monitors. Then it packages everything as a compressed JSON bundle and ships it to attacker-controlled servers.

There’s no need for us to tell you what the hackers can do with all that information later.

The malware also checks whether it's running in a virtual machine or a security sandbox, and quits quietly if it detects one. It's designed to run once on real targets, steal everything, and disappear.

This isn't an isolated incident. It's part of a pattern. HiddenLayer identified six additional repositories under a separate Hugging Face account named "anthfu," uploaded in late April, using the exact same malicious loader pointing to the exact same command server. Those repos impersonated models like Qwen3, DeepSeek, and Bonsai to lure AI developers.

If you cloned Open-OSS/privacy-filter on a Windows machine and ran any file from it, you should treat the device as fully compromised. Don't log into anything from that machine before wiping it.

After that, change all the credentials that were stored in your browser—passwords, session cookies, OAuth tokens. Move any crypto funds to a new wallet generated on a clean device ASAP and assume seed phrases were stolen.

Since it also gets your Discord information, and that service is heavily automated, you should invalidate your Discord sessions and reset that password. Any SSH keys or FTP credentials on that machine should be considered burned.

The repository is now removed. Huggingface has not disclosed what, if any, additional screening measures it plans to implement for trending repositories.

As of now, seven confirmed malicious repositories from this campaign have been identified. How many more exist—or existed before being detected—remains unknown.