Fake OpenAI Privacy Filter Repo Delivers Infostealer

HiddenLayer reported on May 7, 2026 that a malicious Hugging Face repository, Open-OSS/privacy-filter, had typosquatted OpenAI's legitimate Privacy Filter release and appeared in the platform's trending list. The Hacker News and daily.dev report that the repo accumulated about 244,000 downloads before Hugging Face disabled access, while HiddenLayer described the count as "over 200k" in its incident summary.

HiddenLayer's analysis shows the repo copied OpenAI's model card nearly verbatim and instructed users to run start.bat (Windows) or python loader.py (Linux/macOS). Per HiddenLayer, the loader.py contains decoy model code plus logic that disables SSL verification, decodes a Base64 URL hosted on the public paste service JSON Keeper, and executes a PowerShell command to pull a second-stage batch script from a remote host (reported as api.eth-fastscan[.]org). The second-stage script elevates privileges via a UAC prompt, configures Microsoft Defender exclusions, downloads a Rust-based infostealer binary, and sets a scheduled task to persist execution. The final payload, according to HiddenLayer and corroborated in reporting by The Hacker News and daily.dev, includes credential harvesting from browsers, Discord tokens, cryptocurrency wallets and extensions, SSH/FTP/VPN configs, screenshots, and other system artifacts. HiddenLayer notes extensive anti-analysis and evasion features and links the infrastructure to other malicious repositories and an npm typosquatting campaign associated with the WinOS 4.0 implant.

Editorial analysis: Public reporting frames this incident as a continuation of supply-chain and typosquatting attacks that target open model hubs and package ecosystems. Observers have seen attackers reuse public paste services as dead-drop resolvers and chain lightweight loader scripts into richer, native binaries, which increases the difficulty of detection for casual users. For practitioners, high download counts on a model hub amplify potential impact because many users and automation pipelines clone trending repos without thorough provenance checks.

Editorial analysis: This case underscores risk vectors unique to ML infrastructure, namely model-card spoofing and executable convenience scripts (start.bat, loader.py) that blur the line between model artifacts and runnable software. The use of normal-looking repository metadata and verbatim documentation from a trusted project lowers the barrier for successful impersonation. Industry reporting highlights that the incident is notable primarily for scale-hundreds of thousands of downloads-and for cross-ecosystem reuse of infrastructure, rather than for a novel malware family.

Editorial analysis: Observers will likely follow three signals: how quickly model-hosting platforms update provenance and anti-typosquatting controls; whether other high-profile model releases are targeted with copycat repos; and whether defenders adopt automated provenance verification for CI pipelines that pull models from hubs. Practitioners should track the IOCs and remediation guidance published by HiddenLayer and check whether Hugging Face or other platforms publish additional takedown or verification measures. HiddenLayer recommended reimaging compromised hosts, rotating all credentials and moving crypto funds to wallets created on clean devices.

Editorial analysis: The incident reinforces that treating model repositories as code supply chain assets, with the same provenance, signing, and CI hygiene expectations as packages, reduces exposure. Automated checks for repository ownership, model-card hashes, and blocking of executable convenience scripts in model artifacts are industry practices observers will likely emphasize after this case.