Trending Hugging Face Repo With 200k Downloads Executes Malware on Windows Machines

A popular artificial intelligence repository on Hugging Face was recently found hiding dangerous malware that targeted Windows users.

The repository, named “Open-OSS/privacy-filter,” had racked up over 200,000 downloads before the platform’s team stepped in and removed it.

The malicious package disguised itself as a legitimate privacy filtering tool. It copied its model card nearly verbatim from OpenAI’s own Privacy Filter project, giving it a convincing, trustworthy appearance.

Thousands of developers and researchers downloaded it without any suspicion, thinking they were working with a well-regarded and reliable AI utility.

Researchers at Hidden Layer identified the malicious code buried deep inside the repository. Their analysis revealed a sophisticated, multi-stage attack chain carefully designed to steal sensitive data from Windows machines and stay hidden throughout the entire process.

The attack did not announce itself in any way. Instead, it quietly executed in the background, using a loader file that mimicked the look and behavior of a legitimate AI model tool. Once a user ran it on a Windows machine, the real damage began without any visible warning signs.

The reach of this campaign was not accidental. Before access to the repository was disabled, it had already climbed to the number one trending position on Hugging Face, with approximately 244 downloads and 77 likes in under one hour. Those numbers were almost certainly inflated artificially to push the repository into the spotlight and attract more victims.

Trending Hugging Face Repository Executes Malware

The attack chain unfolded across six distinct stages. In the first stage, the model card instructed users to clone the repository and run a startbat file on Windows, or a Python loaderpy script on Linux or macOS.

When executed on Windows, the loaderpy script ran a decoy piece of code that looked like a real loader, then called a function named verifychecksumintegrity, which disabled SSL verification, decoded a base64-encoded URL pointing to jsonkeeper.com, fetched a JSON document, and extracted the cmd field. That command was passed directly to PowerShell, running silently with execution policy bypassed.

The second stage involved PowerShell downloading a batch file called updatebat from a domain mimicking a blockchain analytics service, api.eth-fastscan.org. The batch file performed six core actions, including admin checks, payload downloads, and adding Microsoft Defender exclusions for the directories where the malicious executable was dropped.

A scheduled task named MicrosoftEdgeUpdateTaskCore was also created to maintain persistence, though it was designed as a one-shot launcher that deleted itself after running, leaving no obvious trace behind.

The final payload was a 10 MB Rust-based infostealer with an impressive range of capabilities. It specifically targeted Windows API calls to defeat static analysis and ran checks to detect debuggers, sandboxes, and virtual machines, including VirtualBox, VMware, Hyper-V, and Parallels. If it detected those environments, it simply stopped running.

Once active on a real machine, it launched eight parallel collection modules that targeted Chrome and Firefox browser cookies, login data, saved passwords, session cookies, SSH keys, VPN configurations, FTP credentials, and cryptocurrency wallet files. Screenshots were also captured and packaged for exfiltration. All stolen data was compressed and sent to a command-and-control server at recargapopular.com using a POST request with a Bearer token authorization header.

Hidden Layer’s telemetry also linked the same attacker account to six other repositories uploaded on April 24, 2025, all containing nearly identical loader functionality. The shared infrastructure between those repositories and the Open-OSS/privacy-filter campaign strongly suggested this was part of a broader, coordinated supply chain operation targeting open-source AI ecosystems.

Anyone who downloaded or cloned Open-OSS/privacy-filter, or any of the related repositories listed in the IOCs table below, should treat the affected system as fully compromised.

Recommended actions include isolating the host immediately, rotating every credential stored in browsers, password managers, or credential stores on that machine, and revoking any cloud provider tokens or SSH keys that may have been present. Reimaging the host is strongly advised before returning it to production use.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
Domain	api.eth-fastscan[.]org	Hosts updatebat second-stage downloader batch file
Domain	recargapopular[.]com	C2 exfiltration endpoint receiving stolen data via POST
Domain	jsonkeeper[.]com	Paste service used to host and rotate PowerShell payload
Domain	welovechinatown[.]info	C2 domain observed in a separate related sample
URL	https[://]api.eth-fastscan[.]org/update.bat	Direct URL delivering the second-stage batch file
File Hash (SHA256)	3e7cb11}cx|| (loaderpy)	SHA256 hash of the primary Python loader file
File Hash (SHA256)	5e8ca2a7f4 (loaderpy v2)	SHA256 hash of second loader variant with identical functionality
File Hash (SHA256)	startbat hash	SHA256 of Windows batch launcher in the repository
File Hash (SHA256)	updatebat hash	SHA256 of the PowerShell-executed batch payload
File Hash (SHA256)	Infostealer C1	SHA256 hash of the Rust-based infostealer payload
Hugging Face Repo	anthubBonsai/BonsaiLLM	Related malicious repository under same account
Hugging Face Repo	anthubWen/5BA/BAREPEWen/5}BA	Related malicious repository uploaded April 24, 2025
Hugging Face Repo	anthubWen/ClaudeOpusReasoningDistilled	Related malicious repository under same attacker account
Hugging Face Repo	anthubWen/ClaudeOpusReasoningDistilled variant	Loader contained near-identical command retrieval URL
Scheduled Task	MicrosoftEdgeUpdateTaskCore	Persistence mechanism impersonating legitimate Edge updater
File Path	%TEMP%update.bat	Location where second-stage batch file is written and executed
File Path	%TEMP%runners1 / runnerps1	Runner script dropping Defender exclusions and infostealer binary

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.