- A trending malicious repository on Hugging Face impersonated OpenAI‘s Privacy Filter model to deploy a sophisticated information stealer.
- The stealer harvested data from Discord, cryptocurrency wallets, and browsers, using a multi-stage PowerShell downloader to evade detection.
- Attackers used a public JSON paste service to dynamically switch payloads, and the campaign shared infrastructure with earlier ValleyRAT attacks.
- Researchers identified six additional malicious repositories with similar loader scripts, indicating a broader supply chain operation.
A malicious repository on the open-source platform Hugging Face impersonated a legitimate OpenAI model last week, delivering a dangerous information stealer to Windows users. This fake project, named Open-OSS/privacy-filter, copied the description from the real openai/privacy-filter to appear authentic. Consequently, it reached the #1 trending spot with approximately 244,000 downloads before being disabled.
The repository contained a Python loader script that fetched and executed malware, as detailed in a report from the HiddenLayer Research Team. Once run, the script disabled SSL verification and decoded a Base64-encoded URL from a JSON Keeper service to download a PowerShell command. This flexible use of a public paste service allowed attackers to switch payloads without altering the repository.
Subsequently, a batch script was downloaded to prepare the environment by elevating privileges and configuring Microsoft Defender exclusions. The final payload was a Rust-based stealer designed to capture screenshots and harvest sensitive data. “Despite using a scheduled task, this stage establishes no persistence: the task is destroyed before any reboot,” HiddenLayer explained.
The malware specifically targeted cryptocurrency wallets and extensions, Discord data, and browser information. It also performed checks for virtual machines and attempted to disable Windows security features like AMSI and ETW. Meanwhile, the stolen data was exfiltrated in JSON format to the “recargapopular[.]com” domain.
Further analysis revealed six more repositories, all under the “anthfu” user, using a similar Python loader to deploy the same stealer. The same domain, “api[.]eth-fastscan[.]org,” was also used to serve a different Windows executable. This executable beacons to a command-and-control server previously linked to a campaign delivering ValleyRAT via a malicious npm package, according to noted analysis last month.
Consequently, this attack represents a new initial access vector for ValleyRAT, a trojan typically spread through phishing and SEO poisoning. “The shared infrastructure suggests these campaigns are possibly linked and likely part of a broader supply chain operation targeting open-source ecosystems,” HiddenLayer said. The group exclusively using this malware is a Chinese hacking group known as Silver Fox.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- SUI Jumps 19% on Confidential Transactions Announcement
- The team behind the Renegade.fi protocol confirmed that a whitehat hacker returned about $190,000 after exploiting one of its Arbitrum-based decentralized dark pools and later complying with instructions in an on-chain message to return 90% of the funds.
- Strategy to Resume Bitcoin Purchases Amid Dividend Plans
- Firms roll out quantum-proof wallets ahead of blockchain upgrades
- Bitcoin reclaims market cap lead over Tesla
