{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/privacy-filter/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Privacy Filter","Microsoft Defender","Chromium","Gecko"],"_cs_severities":["high"],"_cs_tags":["huggingface","infostealer","malware","supply-chain","python","powershell","windows"],"_cs_type":"advisory","_cs_vendors":["OpenAI","Hugging Face","Microsoft"],"content_html":"\u003cp\u003eOn May 7, 2026, HiddenLayer researchers discovered a malicious repository on Hugging Face named Open-OSS/privacy-filter that impersonated OpenAI\u0026rsquo;s legitimate \u0026ldquo;Privacy Filter\u0026rdquo; project. The repository briefly reached the #1 trending spot on Hugging Face and accumulated 244,000 downloads before being removed. The malicious repository contained a \u0026rsquo;loader.py\u0026rsquo; file that, when executed on Windows machines, fetches and executes information-stealing malware. The malware employs anti-analysis techniques to evade detection. This incident highlights the risk of supply chain attacks targeting AI/ML platforms and the potential for widespread distribution of malware through trusted repositories.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user downloads a malicious repository from Hugging Face impersonating OpenAI\u0026rsquo;s \u0026ldquo;Privacy Filter\u0026rdquo; project.\u003c/li\u003e\n\u003cli\u003eThe user executes the \u003ccode\u003eloader.py\u003c/code\u003e Python script within the downloaded repository.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eloader.py\u003c/code\u003e disables SSL verification and decodes a base64 URL, fetching a JSON payload containing a PowerShell command from an external resource.\u003c/li\u003e\n\u003cli\u003eThe PowerShell command is executed in an invisible window.\u003c/li\u003e\n\u003cli\u003eThe PowerShell command downloads a batch file (\u003ccode\u003estart.bat\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003estart.bat\u003c/code\u003e performs privilege escalation.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003estart.bat\u003c/code\u003e downloads the final payload (sefirah) and adds it to Microsoft Defender\u0026rsquo;s exclusions.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003estart.bat\u003c/code\u003e executes the final payload, a Rust-based information stealer, which collects and exfiltrates sensitive data to recargapopular[.]com.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe exact number of victims is unclear, but the malicious repository accumulated 244,000 downloads. Successful execution of the malware results in the theft of browser data (cookies, saved passwords, encryption keys, browsing data, session tokens), Discord tokens and master keys, cryptocurrency wallets and browser extensions, SSH/FTP/VPN credentials, sensitive local files, system information, and multi-monitor screenshots. The stolen data is then exfiltrated to the attacker\u0026rsquo;s command-and-control server, potentially leading to financial loss, identity theft, and further compromise of affected systems and networks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect the execution of the malicious \u003ccode\u003eloader.py\u003c/code\u003e script that downloads the batch file (start.bat).\u003c/li\u003e\n\u003cli\u003eBlock the C2 domain \u003ccode\u003erecargapopular[.]com\u003c/code\u003e listed in the IOC table at the DNS resolver to prevent data exfiltration.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the PowerShell command execution initiated by the Python script, allowing for further investigation (see Sigma rules below).\u003c/li\u003e\n\u003cli\u003eEducate users to verify the authenticity of repositories and files downloaded from Hugging Face and other similar platforms.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-09T14:26:03Z","date_published":"2026-05-09T14:26:03Z","id":"/briefs/2026-05-huggingface-infostealer/","summary":"A malicious repository on Hugging Face, impersonating OpenAI's 'Privacy Filter' project, distributed information-stealing malware to Windows users by executing a PowerShell command that downloads and runs a Rust-based infostealer, which exfiltrates collected data to a command-and-control server.","title":"Malicious Hugging Face Repository Distributes Information Stealer","url":"https://feed.craftedsignal.io/briefs/2026-05-huggingface-infostealer/"}],"language":"en","title":"CraftedSignal Threat Feed — Privacy Filter","version":"https://jsonfeed.org/version/1.1"}