Hugging Face Removes Fake OpenAI Privacy Filter Repository After It Tops Charts
A malicious repository impersonating OpenAI's privacy filter reached the top of the Hugging Face trending list, garnering approximately 244,000 downloads and 667 likes within 18 hours before being taken down.
Security firm HiddenLayer discovered that 657 of the likes came from bot accounts. The repository contained a six-stage espionage program that disabled security detection via loader.py, ultimately running a Rust payload with SYSTEM privileges to steal Chrome/Firefox passwords, wallet recovery phrases, SSH keys, etc., and sent screenshots to the attacker's server while also detecting virtual machines to evade analysis.
Market Mechanism: The attacker uploaded a fake AI model repository to induce downloads, driving traffic to event-driven open-source AI tools, with funds flowing to stolen cryptocurrency wallets and credentials; Hugging Face and legitimate AI developers benefit from enhanced reviews, while users relying on trending downloads and wallet holders face pressure.
Source: Public Information
ABAB AI Insight
HiddenLayer has previously disclosed multiple supply chain attacks on Hugging Face, and this impersonation of the OpenAI privacy filter continues the trend of malicious poisoning of AI model repositories since 2025, with several cases of espionage involving impersonations of popular models like Llama and Qwen. Attackers quickly amplify exposure through trending lists.
In terms of capital pathways, attackers use bots to inflate likes and downloads to create hype, investing resources into Rust payloads and multi-stage loader development. Their motivation is to achieve quick monetization by stealing Discord tokens, wallet recovery phrases, and credentials, forming a low-cost, high-return AI open-source supply chain attack chain.
Similar cases include malicious package incidents on PyPI/npm in 2024-2025, as well as multiple repositories impersonating DeepSeek and Qwen3; Hugging Face is currently transitioning from open uploads to enhanced security scanning and trend reviews.
Structural Judgment: This essentially represents a reconstruction of the industry chain driven by technological substitution. The pricing power of discovery and distribution in the open-source AI repository trending list is shifting from manual review to algorithmic recommendation, but is exploited by malicious behavior, leading to actual control shifting from the developer community to attackers. The mechanism lies in low-barrier uploads combined with high-heat amplification creating viral spread, forcing the platform to evolve from a purely open platform to an infrastructure with security gateways.
ABAB News · Cognitive Law
The hotter the trend, the easier it is for malicious content to make the list.
The more convenient open-source becomes, the more fragile the supply chain.
The larger the download volume, the faster the risk exposure.