Fake OpenAI privacy filter repo tops Hugging Face

A malicious repository impersonating OpenAI’s Privacy Filter climbed to the #1 trending spot on Hugging Face and was downloaded about 244,000 times before access was disabled. The repository used the name Open-OSS/privacy-filter and duplicated OpenAI’s model description to prompt users to run supplied scripts.

HiddenLayer’s analysis reported the project instructed users to clone the code and run a Windows batch file or a Python loader on other systems. The loader disables SSL verification, decodes a Base64-encoded URL stored on JSON Keeper, extracts a command and passes it to PowerShell. That command downloads a batch script from api.eth-fastscan[.]org, which prepares the Windows environment and fetches the next-stage binary.

The batch script elevates privileges via a User Account Control prompt, configures Microsoft Defender exclusions, and schedules a task that launches a PowerShell script to run the downloaded executable. The scheduled task runs the payload with SYSTEM privileges and is deleted before any reboot, so the launcher does not establish persistence across reboots.

The final payload is a Rust-based information stealer. It captures screenshots and collects data from Discord, cryptocurrency wallets and extensions, system metadata, FileZilla configurations, wallet seed phrases, and browsers based on Chromium and Gecko engines. Stolen data is sent in JSON format to recargapopular[.]com.

HiddenLayer’s report described multiple anti-analysis measures in the final stage, including checks for debuggers, sandbox detection, virtual machine checks, and attempts to disable the Windows Antimalware Scan Interface and Event Tracing for Windows. Before removal, the impersonating repository had roughly 244,000 downloads and 667 likes within 18 hours; investigators suspect those figures were artificially inflated.

Further review uncovered six additional repositories that use a similar Python loader to deploy the same stealer. Those repositories were hosted under the account anthfu and include anthfu/Bonsai-8B-gguf, anthfu/Qwen3.6-35B-A3B-APEX-GGUF, anthfu/DeepSeek-V4-Pro, anthfu/Qwopus-GLM-18B-Merged-GGUF, anthfu/Qwen3.6-35B-A3B-Claude-4.6-Opus-Reasoning-Distilled-GGUF, and anthfu/supergemma4-26b-uncensored-gguf-v2.

HiddenLayer wrote:

The repository had typosquatted OpenAI’s legitimate Privacy Filter release, copied its model card nearly verbatim, and shipped a loader.py file that fetches and executes infostealer malware on Windows machines.

Panther’s analysis found the api.eth-fastscan[.]org domain also hosted a different Windows executable that beaconed to welovechinatown[.]info, infrastructure previously associated with campaigns delivering the ValleyRAT remote access trojan.

Hugging Face removed access to the malicious repository after the activity was reported and security teams continue investigating the related infrastructure and accounts.