vibe-coding supply-chain hugging-face malware openai

A Fake OpenAI Repo Hit #1 on Hugging Face and Stole Everything

The Setup

A repository called Open-OSS/privacy-filter showed up on Hugging Face last week claiming to be OpenAI’s Privacy Filter — a legitimate tool that actually exists. The attackers copied OpenAI’s model card almost word-for-word, uploaded it under a convincing org name, and then juiced the numbers. Within 18 hours it had 244,000 downloads and 667 likes, sitting pretty at the #1 trending spot on the entire platform.

It was malware. Every single download.

What It Actually Did

The README told users to clone the repo and run start.bat on Windows or python loader.py on Linux and macOS. Helpful instructions for destroying your own machine. The loader’s postinstall hook ran an obfuscated JavaScript payload that spawned a base64-encoded PowerShell command, which fetched a second-stage script from attacker infrastructure.

The final payload was an infostealer. It took screenshots, raided Discord tokens, scraped cryptocurrency wallets and browser extensions, grabbed FileZilla configs, hunted for wallet seed phrases, and pillaged every Chromium and Gecko-based browser on the machine. Your passwords, your session cookies, your crypto — gone because you ran a Python script from a trending repo.

244,000 Downloads in 18 Hours

Let’s talk about that number. Quarter of a million downloads for a repo that had been alive less than a day. The likes and download counts were almost certainly botted to game Hugging Face’s trending algorithm, but that’s exactly the point. The platform’s trust signals — trending position, download count, likes — were weaponized against the people who rely on them.

Nobody at Hugging Face caught a repo with an obfuscated PowerShell dropper sitting at #1 on their homepage. The community flagged it. Not automated scanning. Not platform moderation. Users looking at the code and going “wait, what?”

This Wasn’t a One-Off

Security researchers at HiddenLayer found six more repositories under a different account using nearly identical loader logic and shared infrastructure. The campaign connects back to earlier npm typosquatting attacks and fake AI packages distributed through PyPI. This is an organized operation running across multiple package ecosystems, and AI model registries are just the latest hunting ground.

The playbook is simple and it works everywhere: create something that looks official, inflate the social proof, wait for people to install without reading. It worked on npm. It worked on PyPI. Now it works on Hugging Face. The vibe coding crowd downloading AI models to bolt onto their apps are the perfect targets — they want the tool, they trust the platform, and they’re not reading loader.py before they run it.

The Vibe Coding Angle

This is what happens when an entire generation of developers treats model registries like app stores. You don’t audit App Store downloads either, but at least Apple has a review process — imperfect as it is. Hugging Face is an open platform where anyone can upload anything, and the trending algorithm rewards engagement metrics that can be trivially faked.

If you’re vibe coding and pulling models from Hugging Face into your stack, you are one careless git clone away from handing your entire development environment to an attacker. Your API keys, your .env files, your browser sessions, your crypto wallets. All of it. And the platform you trusted to surface quality is optimizing for engagement, not security.

What You Should Actually Do

Don’t run scripts from repos you haven’t read. I know that sounds impossibly quaint in 2026, but here we are. Check the publisher. Check the commit history. If a repo went from zero to 244,000 downloads overnight, maybe ask yourself how. Verify model releases against the official org’s actual page — OpenAI’s real repos are under openai, not Open-OSS.

And if you’ve already run something suspicious from Hugging Face in the last week, rotate every credential on that machine. Not tomorrow. Now.

← Back to all posts