A model called Open-OSS/privacy-filter on Hugging Face - which presents itself as an OpenAI privacy filtering tool - has been confirmed as a multi-stage credential-stealing malware package. Developers who downloaded and ran it should treat their machines as compromised.
This is an active threat. If you've pulled this package, don't wait to respond.
The Four-Step Attack Chain
The infection sequence is designed to avoid immediate detection and establish persistence that survives reboots.
When a developer runs loader.py - a Python script included in the package - it silently contacts an attacker-controlled server and downloads a PowerShell command (a Windows scripting tool that can run with elevated system privileges). That first command spawns a second PowerShell process, which downloads an executable file from the internet. The executable is then registered with Windows Task Scheduler, which runs it automatically at set intervals going forward.
That final step is the critical one. Task Scheduler persistence means the malware runs on every reboot, stays active without a visible terminal process, and continues executing even if the developer later uninstalls the model. The attacker doesn't need you to stay logged in.
The full attack chain is Windows-only - developers on macOS or Linux would execute loader.py without the PowerShell components firing. That's a narrow protection. A Python dropper running on any system still creates exposure, and the technique can be adapted for other platforms.
What to Do Right Now
If Open-OSS/privacy-filter is on your machine:
- Rotate all credentials. Change passwords for GitHub, Hugging Face, AWS, Google Cloud, and any API-connected services. Treat every API key that was on or accessible from that machine as leaked - revoke and regenerate them.
- Check Task Scheduler. Open it from the Windows Start menu and look for unfamiliar tasks, especially any running PowerShell or pointing to temp directories or AppData folders.
- Run a full scan. Antivirus or endpoint detection software may catch the downloaded executable by signature.
- Report the model. File an abuse report with Hugging Face so the account gets flagged and the model removed.
Developers building AI applications with tools like Cursor or Aider regularly pull models and scripts from Hugging Face as part of their workflow - this attack is designed for exactly that audience.
A Pattern That's Getting More Common
This isn't the first time a malicious package has appeared on a major AI repository. Similar attacks have hit PyPI (Python's package index) and npm (the JavaScript package manager) repeatedly over the past two years. The approach is consistent: name the package something that sounds like useful infrastructure, upload it to a platform developers trust, and let search bring the victims to you.
Hugging Face hosts over 900,000 models and doesn't have the capacity to review every upload. The Open-OSS account is a personal account with no organizational verification and no apparent history prior to this package - that combination is a reason to pause before downloading.
Before pulling any model from Hugging Face: check who published it. Verified organization accounts with a track record of legitimate releases are meaningfully safer than unverified personal accounts with a single upload that matches exactly what you need. A newly created account with one suspiciously relevant package is a red flag, not a lucky find.