Hugging Face Breach: Malware Disguised as OpenAI Release
Summary: A malicious Hugging Face repository impersonating an OpenAI release distributed infostealer malware, with over 244,000 downloads before removal. Attackers may have inflated metrics to appear more credible.
In a concerning development, a malicious Hugging Face repository posing as an OpenAI release delivered infostealer malware to Windows machines. According to research by AI security firm HiddenLayer, the fake model was downloaded over 244,000 times before being removed. The attackers may have artificially inflated the download count to make the model appear more popular than it was, leaving the true impact of the attack unclear.
The repository, named ‘Open-OSS/privacy-filter’, closely mimicked OpenAI’s Privacy Filter release. The original model card was copied almost exactly, and the attackers included a malicious ‘loader.py’ file that fetched and executed credential-stealing malware on Windows hosts. This level of mimicry highlights the growing sophistication of threat actors in the AI space.
The malicious repo quickly climbed to the top of Hugging Face’s ‘trending’ list, amassing 667 likes in under 18 hours. However, these metrics may have been manipulated by the attackers, further complicating efforts to assess the scale of the breach.
Public AI model registries like Hugging Face are increasingly becoming vectors for supply chain attacks. As developers and data scientists clone models directly into corporate environments, the risk of compromising sensitive systems—including access to source code, cloud credentials, and internal infrastructure—has grown significantly.
The README file for the fake model closely resembled the legitimate project, but it contained subtle differences. It instructed users to run ‘start.bat’ on Windows or execute ‘python loader.py’ on Linux and macOS, which were central to the infection chain described by HiddenLayer. This indicates a deliberate attempt to trick users into executing malicious code without suspicion.
This incident follows previous warnings about malicious code hidden inside AI model files or setup scripts on public registries. In the past, attackers have used Pickle-serialized model files to bypass platform scanners, making detection more challenging. As AI adoption continues to rise, so does the need for stronger security measures around open-source AI repositories.
💡 Our Take
This incident underscores the growing risks in the AI ecosystem, where public model repositories are being exploited as attack vectors. Developers must remain vigilant and verify the authenticity of models before integrating them into production systems. The implications go beyond individual users—corporate environments could be compromised if such threats go undetected.
📌 Key Takeaways
- A malicious Hugging Face repository masqueraded as an OpenAI release, distributing malware to Windows machines.
- Attackers may have inflated download counts and engagement metrics to make the model appear more popular.
- Public AI model registries pose significant supply chain risks, especially when used in corporate environments.
- Users should carefully verify the authenticity of models before deployment to avoid potential security breaches.
Tags: #AI #Cybersecurity #HuggingFace #TechNews #OpenSource
📎 Related Articles
📢 Like this article? Follow us on Telegram!
Get daily AI news, tools & insights delivered to your phone.
