A malicious Hugging Face repository impersonating OpenAI's legitimate Privacy Filter project reached the platform's trending list and accumulated 244,000 downloads before removal. The repository named Open-OSS/privacy-filter used typosquatting, copied the legitimate model card nearly verbatim, and included a loader.py script that fetches and executes infostealer malware on Windows machines. The Python script disabled SSL verification, decoded a base64 URL, and executed a PowerShell command that downloaded a batch file performing privilege escalation.
The final payload is a Rust-based infostealer targeting browser data, Discord tokens, cryptocurrency wallets, SSH and VPN credentials, and multi-monitor screenshots, with exfiltration to the command-and-control server recargapopular.com. The malware includes extensive anti-analysis features such as checks for virtual machines, sandboxes, debuggers, and analysis tools. HiddenLayer researchers noted that the vast majority of the 667 accounts liking the malicious repository appeared auto-generated, and the download count may have been artificially inflated.
Researchers uncovered overlaps with an npm typosquatting campaign distributing the WinOS 4.0 implant. Users who downloaded files from the repository are advised to reimage their machines, rotate all stored credentials, replace cryptocurrency wallets and seed phrases, and invalidate browser sessions and tokens. Previous incidents have involved threat actors abusing Hugging Face to host malicious models despite platform security measures. The campaign was discovered on May 7, with the repository briefly reaching the number one position on the platform.
Read more...