- Attackers typosquatted an OpenAI repo on HuggingFace, distributing an infostealer disguised as a “privacy filter” model
- The malware disabled SSL checks, escalated privileges, and deployed the sefirah payload to steal credentials, crypto wallets, and system data
- The fake repo hit 244,000 downloads and briefly topped HuggingFace rankings before removal, with other linked malicious repos also taken down
Cybercriminals were able tp spoof OpenAI products to distribute an infostealer malwar to more than 240,000 computers before being spotted and eliminated, experts have warned.
Security researchers HiddenLayer said they spotted a new repository on HuggingFace called Open-OSS/privacy-filter.
The privacy filter repository is, according to HiddenLayer, a typosquatted version of the official release, which came with a model card that was copied “nearly verbatim”. The loader.py file that was shipped in it fetches and executes an infostealer, they added.
Rising to the top
Before dropping the infostealer, the malware first disabled SSL verification, decoded a base64 URL, and from it downloaded a JSON payload with a PowerShell command. This command, in turn, downloaded a batch file that escalated privileges, deployed the ‘sefirah’ payload, added it to Microsoft Defender’s exclusion list, and then ran it.
The infostealer itself does what most infostealers do - grabs data saved in browsers, exfiltrates discord tokens, local databases, and master keys, steals cryptocurrency wallet information, browser extension data, SSH, FTP, VPN credentials, as well as sensitive files stored locally. It can also grab screenshots, exfiltrate system information, and more.
The download count on the fake repository is massive - 244,000 downloads in mere days.
However, this doesn’t mean every download led to an infection. BleepingComputersays the download numbers may have been inflated, and that the repository itself was “liked” by 667 auto-generated accounts. Still, even if it was all fake, the repository still managed to hit #1 on Hugging Face for a brief moment, which definitely could have lead to infections.
However, by following the trail of the fake accounts, HiddenLayer was able to expose other, less-successful repositories, which were also malicious and used the same infrastructure. All of these have since been removed from the platform.
