Gecko — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/gecko/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 09 May 2026 14:26:03 +0000Malicious Hugging Face Repository Distributes Information Stealerhttps://feed.craftedsignal.io/briefs/2026-05-huggingface-infostealer/Sat, 09 May 2026 14:26:03 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-huggingface-infostealer/A malicious repository on Hugging Face, impersonating OpenAI's 'Privacy Filter' project, distributed information-stealing malware to Windows users by executing a PowerShell command that downloads and runs a Rust-based infostealer, which exfiltrates collected data to a command-and-control server.On May 7, 2026, HiddenLayer researchers discovered a malicious repository on Hugging Face named Open-OSS/privacy-filter that impersonated OpenAI’s legitimate “Privacy Filter” project. The repository briefly reached the #1 trending spot on Hugging Face and accumulated 244,000 downloads before being removed. The malicious repository contained a ’loader.py’ file that, when executed on Windows machines, fetches and executes information-stealing malware. The malware employs anti-analysis techniques to evade detection. This incident highlights the risk of supply chain attacks targeting AI/ML platforms and the potential for widespread distribution of malware through trusted repositories.

Attack Chain

  1. A user downloads a malicious repository from Hugging Face impersonating OpenAI’s “Privacy Filter” project.
  2. The user executes the loader.py Python script within the downloaded repository.
  3. loader.py disables SSL verification and decodes a base64 URL, fetching a JSON payload containing a PowerShell command from an external resource.
  4. The PowerShell command is executed in an invisible window.
  5. The PowerShell command downloads a batch file (start.bat).
  6. start.bat performs privilege escalation.
  7. start.bat downloads the final payload (sefirah) and adds it to Microsoft Defender’s exclusions.
  8. start.bat executes the final payload, a Rust-based information stealer, which collects and exfiltrates sensitive data to recargapopular[.]com.

Impact

The exact number of victims is unclear, but the malicious repository accumulated 244,000 downloads. Successful execution of the malware results in the theft of browser data (cookies, saved passwords, encryption keys, browsing data, session tokens), Discord tokens and master keys, cryptocurrency wallets and browser extensions, SSH/FTP/VPN credentials, sensitive local files, system information, and multi-monitor screenshots. The stolen data is then exfiltrated to the attacker’s command-and-control server, potentially leading to financial loss, identity theft, and further compromise of affected systems and networks.

Recommendation

  • Deploy the following Sigma rule to detect the execution of the malicious loader.py script that downloads the batch file (start.bat).
  • Block the C2 domain recargapopular[.]com listed in the IOC table at the DNS resolver to prevent data exfiltration.
  • Enable Sysmon process creation logging to capture the PowerShell command execution initiated by the Python script, allowing for further investigation (see Sigma rules below).
  • Educate users to verify the authenticity of repositories and files downloaded from Hugging Face and other similar platforms.
]]>highadvisoryhuggingfaceinfostealermalwaresupply-chainpythonpowershellwindows