- Attackers typosquatted an OpenAI repo on HuggingFace, distributing an infostealer disguised as a “privacy filter” model
- The malware disabled SSL checks, escalated privileges, and deployed the sefirah payload to steal credentials, crypto wallets, and system data
- The fake repo hit 244K downloads and briefly topped HuggingFace rankings before removal, with other linked malicious repos also taken down
Nvidia GeForce NOW, a cloud-based gaming service which streams high-performance PC games to other devices, suffered a cyberattack recently, and lost sensitive customer data. However, the data seems to be limited to one country only - Armenia.
A threat actor posted a new thread on an underground hacking forum, offering “millions of user records” for sale.
The records, which allegedly include people’s names, email addresses, usernames, dates of birth, membership status, and 2FA/TOTP status, were being sold for a sum of $100,000, paid either in Bitcoin, or Monero.
ShinyHunters, or imposters?
Following the disclosure, Nvidia shared a statement with BleepingComputer, saying the breach was a result of a compromise in the infrastructure of a regional partner called GFN.am. This company manages all GeForce NOW operations in Azerbaijan, Georgia, Kazakhstan, Moldova, Ukraine, and Uzbekistan.
“Our investigation found no impact on NVIDIA-operated services,” Nvidia told the publication. “We are working closely with the partner to support their investigation and resolution. Impacted users will be notified by GFN.am."
The threat actor was using the ShinyHunters nickname, but the group apparently confirmed that this is an imposter that has no connections to the actual group.
At the same time, GFN.am confirmed that the breach took place between March 20 and March 28 2026, and that the miscreants stole names, emails, phone numbers, dates of birth, and usernames. Passwords were not affected, and neither were people who registered after March 9. We don’t know how many people are affected.
In the meantime, the forum post was deleted, which could mean a couple of things: either GFN negotiated with the attackers, or someone else purchased the database. It is also possible, since ShinyHunters confirmed this person to be an imposter, that the forum’s administrators actually removed the thread.
