Fake OpenAI Repository on Hugging Face Delivers Infostealer Malware: AI Supply Chain Security Alert

Photo by Compare Fibre on Unsplash

Key Takeaways

• A malicious Hugging Face repository impersonating OpenAI's Privacy Filter project was discovered on May 7, 2026 by HiddenLayer researchers — it briefly reached #1 on the platform's trending list before removal.
• The fake repository accumulated approximately 244,000 downloads and deployed a Rust-based infostealer that harvested browser credentials, cookies, encryption keys, and session tokens.
• Attackers used deliberate social engineering to trick developers into manually executing a dropper script (a program that installs malware onto the victim's machine) instead of using standard model-loading methods.
• Protect AI's scan of over 4 million Hugging Face models found roughly 352,000 unsafe or suspicious issues across 51,700 models — revealing just how deep this threat surface runs.

What Happened

On May 7, 2026, researchers at HiddenLayer uncovered a malicious repository on Hugging Face — the world's largest AI model hosting platform, home to over one million machine learning models used by virtually every major AI company — that had been carefully engineered to impersonate OpenAI's legitimate Privacy Filter project. The fake repository, named 'Open-OSS/privacy-filter,' used copied documentation, a convincing model card, and manipulated engagement metrics to appear credible. It briefly climbed to the #1 spot on Hugging Face's trending list — a position that naturally draws the attention of developers actively searching for new tools. Before the platform removed it, the repository had accumulated approximately 244,000 downloads, though security researchers noted the figure was likely partially inflated by automated activity, consistent with the 667 accounts that "liked" the repo, the vast majority of which appeared to be auto-generated bots.

The delivery mechanism was deceptively simple yet technically layered. The repository contained a file called loader.py packed with realistic-looking AI-related code as visual camouflage. Beneath that facade, the script silently disabled SSL verification (a standard security certificate check that confirms you're connecting to a legitimate server), decoded a base64-obfuscated (deliberately encoded to hide its true purpose) URL, and retrieved a JSON payload containing a PowerShell command — executed inside an invisible window so the victim would notice nothing unusual.

The final payload was a Rust-based infostealer (malware engineered to silently harvest sensitive credentials) targeting Chromium- and Gecko-based browsers including Chrome, Firefox, and Edge. It scraped cookies, saved passwords, encryption keys, session tokens (the digital credentials that keep you logged into services), and general browsing data. All of it was compressed and quietly transmitted to a command-and-control server (an attacker-controlled remote machine that receives stolen data) hosted at recargapopular[.]com. To ensure longevity, the malware established persistence via Windows Task Scheduler, meaning it would survive reboots and continue operating silently in the background.

Photo by Markus Spiske on Unsplash

Why It Matters for Your Organization's Security

This incident is not an isolated curiosity — it is a clear signal that the threat landscape for software development has expanded into a new and under-defended territory. For years, threat actors exploited developer trust in open-source package managers like npm (for JavaScript) and PyPI (for Python), poisoning libraries to compromise developer machines and the products built on them. Now, as Acronis TRU security analysts have explicitly warned, AI model repositories have become the new software supply chain attack surface. Developers working with AI tools regularly download and execute model code from community platforms with the same implicit trust they once placed in vetted software libraries — and attackers are exploiting exactly that assumption. Adopting rigorous cybersecurity best practices around AI tooling is no longer optional; it is a fundamental business risk management requirement.

The breadth of the problem is staggering. Protect AI, a firm partnered with Hugging Face on security initiatives, has scanned over 4 million models on the platform and identified approximately 352,000 unsafe or suspicious issues across 51,700 models. That is a systemic vulnerability embedded throughout the AI development ecosystem — not an edge case. For any organization using pre-trained models to accelerate product development, each unvetted download represents a potential entry point for attackers. Robust threat intelligence processes, including automated scanning of ingested model files, are the only scalable defense at this volume.

From a data protection standpoint, the consequences of this specific attack extend far beyond the infected machine. The infostealer specifically targeted session tokens and encryption keys — the kinds of credentials that grant persistent, authenticated access to cloud environments, developer portals, and CI/CD pipelines (automated systems that build and deploy software). A single compromised developer workstation at a small or mid-sized business could expose customer databases, cloud infrastructure credentials, or entire source code repositories. This is an enterprise-wide blast radius, not a personal device inconvenience. Strong cybersecurity best practices around how teams handle AI model dependencies are now directly tied to organizational data protection obligations.

The social engineering dimension is equally instructive. HiddenLayer researchers noted that the malicious repository's usage instructions were unusually insistent about running loader.py directly, bypassing the standard transformers.from_pretrained() method that experienced Hugging Face users would recognize as the normal model-loading path. This was a calculated tactic: by framing the manual execution step as a technical requirement, attackers circumvented both the platform's default safety controls and the developer's own intuition that something might be wrong. Security awareness training that specifically addresses deviations from expected developer workflows is increasingly essential — and it is one of the most cost-effective defenses available to organizations of any size.

The U.S. Department of Defense published formal guidance on AI and ML supply chain risks in March 2026, just two months before this attack was discovered — formally acknowledging community-hosted AI assets as a credible national security concern. Enterprise security teams should treat that acknowledgment as a clear indicator of where threat intelligence resources need to be directed next.

Photo by Numan Ali on Unsplash

The AI Angle

There is a sharp irony in AI development tools being weaponized against the very developers building AI systems — but the security community is responding in kind. AI-powered security platforms are rapidly becoming the most practical defense against these attacks. HiddenLayer's platform, built specifically for securing AI and ML pipelines, uses behavioral analysis to flag anomalous execution patterns — the kind of approach that can detect a loader.py initiating unexpected network calls before a payload is ever deployed, dramatically compressing incident response time.

Protect AI's Guardian tool, which underpins elements of Hugging Face's own scanning infrastructure, applies automated threat intelligence analysis to model files and associated scripts at scale. Its discovery of 352,000 issues across 4 million scanned models demonstrates both the power and the urgency of AI-layer security tooling. For organizations integrating AI models into production systems, embedding these scanning solutions into the development workflow is rapidly becoming a cybersecurity best practice on par with static code analysis (automated pre-execution checks for vulnerabilities). Threat detection at the model-ingestion layer — not just at the network edge — is the new frontier of enterprise security awareness, and teams that adopt it now will be significantly better positioned than those waiting for a breach to prompt action.

What Should You Do? 3 Action Steps

1. Audit and Lock Down Your AI Dependency Pipeline

Conduct an immediate inventory of every Hugging Face model, dataset, or script your team has downloaded or is currently using in any project. Verify each against the official publisher's confirmed identity — look for organization verification badges and cross-reference repository ownership with the vendor's official website. Going forward, enforce a policy that prohibits running any script from an AI repository that deviates from standard model-loading conventions, such as requiring manual execution of a standalone Python file. This single procedural control directly counters the social engineering tactic used in this attack and aligns with established cybersecurity best practices for supply chain risk management. Document all approved model sources and treat unapproved downloads as a security incident requiring review.

2. Deploy AI-Specific Threat Intelligence Scanning

Standard antivirus and endpoint protection tools are not built to analyze the serialized model files, custom loaders, and inference scripts that populate AI repositories. Integrate a dedicated AI security scanning solution — such as Protect AI's Guardian or HiddenLayer's AISec platform — into your model ingestion workflow before any downloaded file touches a development or production environment. These tools apply specialized threat intelligence to detect obfuscated code, suspicious network calls, and known malicious payload patterns embedded in model artifacts. For smaller teams without a dedicated security function, both platforms offer SaaS-based deployment options that provide enterprise-grade data protection coverage with minimal configuration overhead. Consider this tooling as mandatory infrastructure, not an optional upgrade.

3. Establish an AI-Specific Incident Response Plan

If any developer on your team has downloaded and executed code from a suspicious AI repository, treat it as a confirmed security incident and activate your incident response procedures immediately. Isolate the affected machine from the network, then assume full credential compromise for all browser-stored passwords, session tokens, API keys, and encryption keys on that device — rotate all of them across every connected service, including cloud consoles, code repositories, and CI/CD platforms. Preserve system logs for forensic analysis and assess what data the compromised machine had access to. Use the incident to drive an updated security awareness briefing across your engineering team focused specifically on AI supply chain threats. If customer or employee data may have been exposed, review your notification obligations under applicable data protection regulations and act accordingly.

Frequently Asked Questions

How do I protect my organization from accidentally downloading malware through fake Hugging Face repositories?

Effective protection requires layering policy, tooling, and training. On the policy side, maintain a whitelist of approved, verified publishers and require security review before any new model enters your pipeline. On the tooling side, use AI-specific scanners such as Protect AI's Guardian to automatically analyze files before execution. On the training side, build security awareness around the specific red flags used in these attacks — particularly any usage instructions that ask developers to run a standalone script rather than using the standard Hugging Face transformers library API. No single measure is sufficient on its own; combining all three layers is the cybersecurity best practice for this threat category.

What are the warning signs that an AI model repository might be malicious before I download it?

Several red flags warrant immediate scrutiny. First, verify the organization handle — attackers commonly use names that closely resemble legitimate publishers with minor variations, a tactic called typosquatting (using a slightly misspelled or similarly named identifier to impersonate a trusted source). Second, treat any usage instructions that require manually running a Python script with extreme caution; legitimate Hugging Face models load through the standard transformers library API. Third, inspect any included Python scripts for obfuscated strings, base64-encoded data, disabled SSL checks, or unexpected outbound network connections. Finally, apply healthy skepticism to newly created repositories with unusually high download counts or sudden trending status — as this attack demonstrated, these metrics can be easily manipulated. When in doubt, consult threat intelligence resources before downloading.

How can a small business implement AI supply chain security without a large dedicated security team?

Small businesses can build meaningful defenses without a full security department. Start by designating a sandboxed machine (an isolated test environment with no access to production systems or credential stores) specifically for evaluating new AI models before wider use. Leverage free scanning resources — Hugging Face provides some built-in safety scanning in partnership with Protect AI. Subscribe to threat intelligence alerts from CISA (the U.S. Cybersecurity and Infrastructure Security Agency) and security vendors like HiddenLayer, which publish notices about newly discovered malicious repositories. Most importantly, invest in security awareness training that teaches developers to apply the same skepticism to AI model code that they would apply to running an unknown executable — because functionally, that is exactly what it is. These steps together constitute practical, low-cost cybersecurity best practices for AI tooling.

What should I do if a developer on my team already ran a script from a suspicious AI model repository?

Activate your incident response plan without delay. Immediately disconnect the affected machine from all networks to stop any ongoing data exfiltration to the attacker's command-and-control server. Assume that every credential stored in the browser on that machine — passwords, cookies, session tokens, API keys — is compromised, and begin rotating them across all connected services: cloud provider consoles, GitHub or other code repositories, CI/CD platforms, and any SaaS tools. Revoke and reissue any API keys or service account credentials the machine had access to. Preserve system event logs and browser history for forensic investigation. Conduct a thorough assessment of what data that machine could have accessed, and if customer or employee data may have been involved, review your obligations under applicable data protection laws — most jurisdictions require timely notification of affected individuals and regulators.

How does AI model repository malware compare to traditional npm and PyPI package supply chain attacks, and is it more dangerous?

The core mechanics are strikingly similar, which is precisely why security analysts at Acronis TRU drew the direct comparison. In npm and PyPI supply chain attacks, threat actors publish packages with names nearly identical to popular legitimate libraries — tricking developers into installing them through standard package managers. AI repository attacks follow the same playbook: impersonate a trusted source, exploit community trust, and deliver a malicious payload through a familiar workflow. The key distinction that makes AI repository attacks potentially more dangerous is the higher baseline level of implicit trust: many developers treat model files as passive data artifacts rather than executable code, which lowers their guard compared to installing a software package. Additionally, AI model files involve complex serialized formats and custom scripts that conventional security tools are poorly equipped to analyze, giving malicious code more places to hide. Threat intelligence from both the research community and government agencies increasingly identifies AI platforms as a higher-risk evolution of the same supply chain vulnerability that has plagued package ecosystems for years.

Disclaimer: This article is for informational purposes only and does not constitute professional security consulting advice. Always consult with a qualified cybersecurity professional for your specific needs.