In early May 2024, a malicious repository named Open-OSS/privacy-filter rocketed to the number-one trending spot on Hugging Face. It impersonated OpenAI’s legitimate Privacy Filter project and racked up 244,000 downloads before the platform took it down. HiddenLayer researchers discovered the campaign on May 7, revealing a Rust-based infostealer that targeted browser credentials, Discord tokens, cryptocurrency wallets, and more. This incident underscores a critical hugging face malware warning for the entire AI and machine learning community. Knowing how to spot a fake repository before you run any code can save you from a devastating supply chain attack.
Attackers are getting clever. They copy legitimate model cards, use typosquatted names, and even include fake AI code to appear harmless. But careful inspection reveals telltale red flags. Here are seven specific signs to watch for when evaluating any Hugging Face repository, especially those claiming affiliation with OpenAI or other major AI companies.
1. Typosquatted Repository Names
The malicious repository used the name Open-OSS/privacy-filter — a subtle misspelling of OpenAI’s real project name. Attackers often replace a letter, add a hyphen, or use a different top-level domain to trick users who skim quickly. Legitimate OpenAI repositories live under official organizations like openai or openai-internal. Any variation that adds extra words, changes spelling, or uses a different namespace (like open-oss) should raise suspicion. Check the URL carefully before downloading anything.
2. Near-Verbatim Copy of the Legitimate Model Card
The fake repo copied OpenAI’s official model card almost word for word. While this makes the repository look authentic at first glance, it is a classic impersonation tactic. Scammers know that most users glance at the description and move on. A legitimate repository often includes unique details, version history, and specific training configurations. If the text feels generic or matches another well-known project exactly, treat it as a hugging face malware warning. Use a search engine to compare the model card text against the original.
3. Suspicious Scripts in the Repository Files
HiddenLayer found a loader.py file that contained fake AI code to appear harmless. In reality, it disabled SSL verification, decoded a base64 URL, fetched a JSON payload, and executed a PowerShell command — all in the background. Any repository that includes executable scripts (Python, shell, or batch files) with obfuscated code, encoded URLs, or calls to external servers should be treated with extreme caution. Legitimate models typically provide only weight files, configuration JSON, and a simple inference script. If you see a script that downloads something from an unknown domain, do not run it.
4. Artificially Inflated Metrics (Likes and Downloads)
The malicious repository had 667 likes and 244,000 downloads. Researchers noted that the vast majority of those likes appeared to be auto-generated, and the download count may have been artificially inflated using bots. Attackers use fake engagement to push a repository to the trending list, where it gains organic visibility. Look for signs of bot activity: many accounts with similar naming patterns, no comments, or a sudden spike in downloads within hours of upload. A repository that rockets to number one overnight without a corresponding social media buzz or official announcement is suspicious.
5. Anti-Analysis Code and Evasion Techniques
The final payload (named sefirah) was a Rust-based infostealer with extensive anti-analysis features. It checked for virtual machines, sandboxes, debuggers, and analysis tools. If a repository’s code includes checks for VM environments, debugger detection, or attempts to disable security software (like adding itself to Microsoft Defender exclusions), it is almost certainly malicious. Legitimate open-source projects rarely need to hide their behavior. Any code that tries to evade inspection is a clear hugging face malware warning.
You may also enjoy reading: 7 Ways One of the World’s Least Charitable Billionaires Plans to Give.
6. Data Exfiltration to an External Command-and-Control Server
The stolen data was compressed and sent to a C2 server at recargapopular[.]com. Even if a repository’s scripts appear to do simple file operations, check for any network connections to unknown IP addresses or domains. Use tools like netstat or Wireshark to monitor outbound traffic from your machine when testing a new model. If you see connections to domains that are not related to Hugging Face or the model’s legitimate sources, terminate the process immediately. Attackers often encode these URLs in base64 to hide them, as seen in this campaign.
7. Overlaps with Known Malware Campaigns in Other Ecosystems
HiddenLayer researchers noticed overlaps between this Hugging Face campaign and an npm typosquatting campaign that distributed the WinOS 4.0 implant. Attackers reuse infrastructure and code across platforms. If you find a repository that shares file names, domain patterns, or code snippets with known malware from PyPI, npm, or GitHub, treat it as highly dangerous. Cross-referencing indicators of compromise (IoCs) from security reports can help you identify a fake repo before it infects your system. Always search for the repository’s name or author in threat intelligence feeds.
What to Do If You Have Already Downloaded from a Suspicious Repository
If you downloaded any files from the Open-OSS/privacy-filter repo or similar fakes, take immediate action. Reimage the affected machine completely — simply deleting the files is not enough because the malware may have installed persistence mechanisms. Rotate every stored credential: passwords, API keys, SSH keys, and VPN certificates. Replace cryptocurrency wallets and seed phrases with new ones generated on a clean device. Invalidate all browser sessions and tokens, especially for Discord, GitHub, and cloud services. Assume that any data on the compromised machine is now in the hands of the attacker.
The AI and machine learning community depends on trust in open-source repositories. But as this incident shows, attackers are willing to invest in sophisticated impersonation campaigns to steal sensitive data. By checking for typosquatted names, comparing model cards, inspecting scripts, verifying metrics, watching for anti-analysis code, monitoring network traffic, and cross-referencing with known campaigns, you can protect yourself and your organization from becoming the next victim. Stay vigilant, and always treat a trending repository with healthy skepticism until you have verified its legitimacy.
