Fake OpenAI Repo on Hugging Face Spreads Info-Stealer to Windows

A fraudulent repository masquerading as OpenAI’s "Privacy Filter" project has been discovered on Hugging Face, the popular model‑sharing hub. The repo, which briefly made the platform’s trending list, was downloaded more than 2,500 times before being taken offline. It presented a convincing README, complete with OpenAI branding and a link to a non‑existent OpenAI site, aiming to lure developers into installing the malicious package.

The package’s installation script (setup.py) drops a PowerShell loader that decodes a base64‑encoded payload and executes a .NET‑based infostealer. The malware, internally tracked as “DarkWatch,” harvests browser‑stored credentials, session cookies, cryptocurrency wallet data, SSH private keys, and screenshots. It contacts a command‑and‑control (C2) server over HTTPS, exfiltrating the stolen data as a JSON blob. The infection chain also attempts to disable Windows Defender real‑time protection to avoid detection.

Security researchers from Cisco Talos identified the threat and notified Hugging Face, which removed the repository within a few hours of the report. Users who may have installed the package are advised to audit their systems for unknown processes, revoke potentially compromised credentials, and employ endpoint detection solutions to flag the malicious C2 traffic. Hugging Face has since announced plans to introduce repository signing and a “Trusted Publisher” verification system to curb similar supply‑chain attacks.

The incident underscores the growing risk of supply‑chain attacks targeting the AI/ML ecosystem, where developers routinely pull code from public hubs without thorough review. Organizations should implement package integrity checks, use sandboxed environments for testing, and keep security tooling such as pip‑audit or OWASP Dependency‑Check up to date. As AI projects become more integrated into production pipelines, vigilance in code provenance and continuous monitoring will be critical to preventing malware delivery through trusted open‑source platforms.