Executive Summary
Cybersecurity researchers uncovered a sophisticated supply chain attack leveraging a fake OpenAI repository on the Hugging Face platform to distribute infostealer malware. The malicious repository, which mimicked legitimate OpenAI projects, was designed to deceive developers, data scientists, and organizations seeking artificial intelligence tools. By exploiting the trust inherent in open-source ecosystems and the popularity of Hugging Face as a model-sharing platform, the attackers were able to propagate a highly capable infostealer that exfiltrated sensitive credentials, session tokens, and cryptocurrency wallets. This incident underscores the critical need for rigorous supply chain security and heightened vigilance when interacting with open-source resources.
Threat Actor Profile
The threat actors behind this campaign demonstrated a high degree of technical sophistication and operational security. While no direct attribution to a known Advanced Persistent Threat (APT) group has been established, the tactics, techniques, and procedures (TTPs) align with those of financially motivated cybercriminals and supply chain attackers. The campaign utilized typosquatting—registering repository names closely resembling legitimate OpenAI projects—and social engineering via trending lists and SEO poisoning to maximize reach. The infrastructure and payloads show overlap with previous npm typosquatting campaigns, including the distribution of the WinOS 4.0 implant, suggesting a broader, ongoing supply chain operation. The attackers also employed automated bots to artificially inflate repository download and like counts, enhancing the perceived legitimacy of the malicious projects.
Technical Analysis of Malware/TTPs
The infection chain began with the creation of repositories such as Open-OSS/privacy-filter and several others under the anthfu namespace, all designed to impersonate official OpenAI or high-profile AI projects. The repositories included a loader.py script, which masqueraded as benign AI-related code but was, in fact, the initial loader for the malware.
Upon execution, loader.py disabled SSL verification and decoded a base64-encoded URL to fetch a remote JSON payload. This payload instructed the loader to execute a PowerShell command in an invisible window, which then downloaded a batch file (update.bat or start.bat) from the attacker's infrastructure, notably the domain api.eth-fastscan[.]org. The batch file escalated privileges and fetched the final Rust-based infostealer payload, known as sefirah.
The infostealer exhibited advanced capabilities, targeting browser data (including cookies, passwords, encryption keys, and session tokens from Chromium and Gecko-based browsers), Discord tokens, local databases, master keys, cryptocurrency wallets and browser extensions, SSH/FTP/VPN credentials, and sensitive local files such as wallet seeds and keys. It also collected system information and multi-monitor screenshots. Exfiltration was performed via HTTP POST requests to the command-and-control (C2) domain recargapopular[.]com.
To evade detection, the malware checked for the presence of virtual machines, sandboxes, debuggers, and analysis tools. It also added itself to Microsoft Defender exclusions to maintain persistence. The infection chain and malware behavior map to several MITRE ATT&CK techniques, including T1059 (Command and Scripting Interpreter), T1566 (Phishing), T1071 (Application Layer Protocol), T1555 (Credentials from Password Stores), T1086 (PowerShell), T1204 (User Execution), and T1027 (Obfuscated Files or Information).
Exploitation in the Wild
The campaign achieved significant reach, with the primary malicious repository (Open-OSS/privacy-filter) amassing over 244,000 downloads before removal. However, analysis suggests that a substantial portion of these downloads were generated by automated bots to boost the repository's visibility and credibility. The attackers also promoted the repositories via social media platforms such as LinkedIn and Reddit, as well as through SEO manipulation, ensuring that searches for OpenAI tools would surface the malicious projects.
Victims included developers, AI/ML researchers, and organizations seeking to leverage OpenAI models or tools. The impact ranged from credential theft and session hijacking to potential lateral movement within organizational networks and theft of cryptocurrency assets. Security vendors detected anomalous outbound traffic to the C2 infrastructure and observed attempts to access and exfiltrate credentials from infected endpoints. The campaign's use of trending repositories and typosquatting significantly increased the risk of inadvertent compromise among even security-conscious users.
Victimology and Targeting
The primary targets of this campaign were individuals and organizations operating in the technology, AI/ML research, software development, and cryptocurrency sectors. The global reach of Hugging Face ensured that victims spanned multiple countries, with a particular focus on English-speaking developer and research communities. The attackers specifically targeted users seeking OpenAI tools, leveraging the brand's reputation and the open-source community's trust in platforms like Hugging Face. The use of typosquatting and cloned documentation further increased the likelihood of successful social engineering, as even experienced users could be deceived by the apparent legitimacy of the repositories.
Mitigation and Countermeasures
Organizations and individuals who may have interacted with the affected repositories should immediately consider their systems compromised and take the following actions. Reimage all affected machines to ensure complete removal of the infostealer. Rotate all credentials, including SSH keys, browser passwords, cloud service credentials, Discord tokens, and cryptocurrency wallet seeds and keys. Invalidate all browser sessions and tokens to prevent session hijacking.
To prevent future incidents, always verify the authenticity of repositories and packages before downloading or executing code, especially when dealing with high-value or security-sensitive projects. Inspect code and dependencies for suspicious behavior, such as obfuscated scripts or unexpected network activity. Employ advanced endpoint detection and response (EDR) solutions capable of identifying infostealer behavior and monitoring for outbound connections to suspicious domains. Educate users and developers about the risks of typosquatting, social engineering, and supply chain attacks, emphasizing the importance of sourcing code only from official or well-vetted repositories.
Network monitoring should be configured to detect anomalous outbound traffic, particularly to domains such as recargapopular[.]com, api.eth-fastscan[.]org, and welovechinatown[.]info. Security teams should also review scheduled tasks and Microsoft Defender exclusions for unauthorized entries, as these are commonly used for persistence by the malware.
References
HiddenLayer: Malware Found in Trending Hugging Face Repository BleepingComputer: Fake OpenAI repository on Hugging Face pushes infostealer malware Reddit: WARNING: Open-OSS/privacy-filter MALWARE MITRE ATT&CK Framework Hugging Face Security Advisory
About Rescana
Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their digital supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify and respond to emerging threats in the open-source and vendor ecosystem. For more information or to discuss how we can help secure your organization, please contact us at ops@rescana.com.
