Malware Disguised as OpenAI Found on Hugging Face

Malicious Repo Poses as OpenAI

In a bold move, a malicious repo on Hugging Face pretended to be OpenAI's "Privacy Filter" project to spread malware. It hit the platform's trending list, with 244,000 downloads before removal.

The repo, called Open-OSS/privacy-filter, was flagged by HiddenLayer researchers, experts in AI and ML security. It cleverly typosquatted OpenAI's legit release, copying its model card while hiding a harmful script.

The Sinister Script

Central to this setup was a Python script, loader.py. It looked innocent but disabled SSL verification and fetched a base64-encoded URL. This URL led to a JSON payload that executed a PowerShell command, downloading and running malicious software on Windows.

The payload was a Rust-based infostealer, targeting:

• Browser data (cookies, passwords, session tokens)
• Discord tokens and databases
• Cryptocurrency wallets
• SSH, FTP, and VPN credentials
• Multi-monitor screenshots

The data theft was huge, with info sent to a command-and-control server, marking a severe security breach.

Background on Hugging Face

Hugging Face is a go-to platform for AI models, datasets, and tools. It's used worldwide. Despite strong security, it's been exploited before by threats hosting malicious models.

Typosquatting Tactics

Typosquatting—using names similar to legit ones—isn't new. It's happened on platforms like npm, where malware mimics popular libraries. This Hugging Face incident shows the ongoing challenge of securing open-source repos.

Unanswered Questions

• How many people were affected? We don't know yet.
• How many accounts that liked the repo were real users?
• Are more fake repos out there?

Why It Matters

This incident highlights vulnerabilities in open-source and AI platforms. As AI integrates into more sectors, securing these platforms is crucial. Users need to be vigilant, and platforms must boost security to stop such threats.