A fake OpenAI repository has taken the top spot on Hugging Face – but all it does is push infostealer malware

Attackers have hacked an OpenAI repo on HuggingFace and distributed an infostealer disguised as a “privacy filter” model
The malware disabled SSL checks, escalated privileges, and deployed sefirah payload to steal credentials, crypto wallets and system data
The fake repo hit 244,000 downloads and briefly topped the HuggingFace rankings before being removed, while other associated malicious repos were also removed

Cybercriminals were able to fake OpenAI products to distribute an infostealer malware to more than 240,000 computers before they were detected and eliminated, experts have warned.

Security researchers HiddenLayer said they discovered a new layer on HuggingFace called the Open-OSS/privacy filter.

According to HiddenLayer, the privacy filter repository is a typosquatted version of the official release, which came with a model card that was copied “almost verbatim.” The loader.py file sent in it downloads and executes an infostealer, they added.

Rise to the top

Before dropping the infostealer, the malware first disabled SSL verification, decoded a base64 URL, and downloaded a JSON payload from it with a PowerShell command. This command in turn downloaded a batch file that escalated privileges, deployed the ‘sefirah’ payload, added it to Microsoft Defender’s exclusion list, and then ran it.

The infostealer itself does what most infostealers do – grabs data stored in browsers, exfiltrates discord tokens, local databases and master keys, steals cryptocurrency wallet information, browser extension data, SSH, FTP, VPN credentials, as well as sensitive files stored locally. It can also take screenshots, exfiltrate system information and more.

The number of downloads on the fake repository is huge – 244,000 downloads in a few days.

However, this does not mean that every download led to an infection. Bleeping Computersays download numbers may have been inflated and that the repository itself was “liked” by 667 auto-generated accounts. Still, even though it was all fake, the repository still managed to hit #1 on Hugging Face for a brief moment, which could certainly have led to infections.

However, by following the trail of the fake accounts, HiddenLayer was able to uncover other, less successful repositories that were also malicious and using the same infrastructure. All of these have since been removed from the platform.