A sophisticated campaign exploited confidence in Hugging Face's model repositories by uploading a piece of malware that posed as the legitimate OpenAI project called "Privacy Filter." The malicious repository became on the trend list and accumulated, according to public metrics, about 244,000 downloads before being removed, an incident that shows how model markets can become mass distribution vectors for malicious code.
The investigation was published by the company HiddenLayer, which detected the fraudulent collection on May 7. According to the technical analysis, the repository used typosquating techniques and copied official documentation to pass unnoticed; it actually included a loader.py file whose real function was to disable SSL checks, solve a URL encoded on base64 and run a remote payload through PowerShell that ended up installing an infostealer written in Rust nicknamed "sefirah." The infection chain included privilege climbing, modification of Microsoft Defender exclusions and exfiltration of data to a command and control server.
The reported malware had an attack profile oriented to the wide collection of secrets: credentials and cookies of Chromium and Gecko browsers, Discord tokens, cryptomoneda purse keys and extensions, SSH / FTP / VPN configuration files, purse seeds and multiple monitor screen catches. HiddenLayer also documented multiple anti-analysis techniques to avoid detection in virtual environments and sandboxes, which complicates the work of incident response teams.
There are legitimate doubts about the actual extent of the damage: many "like" and downloads may have been inflated by artificial automated or metric accounts, but that does not reduce the technical risk or the need to contain the threat. In addition, researchers detected reuse of the same cargo infrastructure between several repositories and a possible relationship to typosquating campaigns in npm, suggesting an organized operation targeting software supply chains.
The practical implications are clear: models and datasets exchange platforms are not immune to abuse; their open nature makes them attractive targets for malicious actors seeking distribution and anonymity. This requires strengthening hygiene at both platform and user level: validation of authors, automatic code scanning, signature of artifacts and stricter confidence controls for locally executed elements.
If you downloaded files from the affected repository or suspected you could run code from unverified sources, the most secure technical recommendation is strong: reimagine the equipment, break all the credentials and replace the coins and seed phrases of cryptomonedas. In addition, invalidate browser sessions and OAuth tokens, replace SSH / FTP keys, review exclusions on your antivirus and consider that tool cleaning does not always eliminate sophisticated back doors.
For users and equipment that have not been infected but work with external models, preventive measures should be applied: run models and scripts in isolated environments or virtual machines, review the source code and the load scripts before their execution, prefer models published by verified organizations and use known signatures or hashes to check integrity. From an operational point of view, it monitors suspicious outgoing connections and blocks C2-associated domains when appropriate.
The platforms also have outstanding tasks: to improve the automatic detection of malicious patterns in repository files, to strengthen content moderation processes, to provide verifiable metadata on authors and to provide rapid reports to the incident responders. Hugging Face and other suppliers must balance openness and security to reduce the attack surface without strangle research and collaboration.
If you want to read the technical report that detailed this campaign, HiddenLayer published his analysis here: HiddenLayer - Malware found in Hugging Face repository. To understand the platform's policies and controls, see the Hugging Face security page: Hugging Face - Security. These readings help contextualize why source verification and execution in controlled environments are not options, but essential practices.
In short, this incident is a reminder that the flexibility of IA ecosystems brings with it specific safety risks. Protecting itself requires working on two fronts: demanding structural improvements to platforms and adopting practical defenses in the developer and end-user environment.
Safety alert Drug critical vulnerability of SQL injection in PostgreSQL requires immediate update
Drucal has published safety updates for a vulnerability qualified as "highly critical" which affects Drumal Core and allows an attacker to achieve arbitrary SQL injection in sit...
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...