Fake OpenAI Privacy Filter Repo Hits #1 on Hugging Face, Draws 244K Downloads

A fake OpenAI Privacy Filter repository reached the top of Hugging Face's trending list and accumulated 244,000 downloads by impersonating OpenAI's legitimate open-weight model released in late 2024.

The malicious project, named Open-OSS/privacy-filter, duplicated the legitimate openai/privacy-filter repository's entire description and metadata. This typosquatting attack targeted Windows users by distributing a Rust-based information stealer designed to exfiltrate sensitive data from compromised systems.

The attack exploited Hugging Face's popularity as a central hub for machine learning models and open-source projects. Developers searching for OpenAI's Privacy Filter tool encountered the fake repository first due to its ranking on the platform's trending list. The identical naming and copied documentation reduced detection friction, making it difficult for casual users to distinguish the malicious fork from the authentic release.

Information stealers operate by harvesting credentials, browser data, clipboard contents, and system information. Rust-based variants offer advantages for attackers including improved performance and cross-platform compatibility, though this variant specifically targeted Windows systems.

The incident highlights a critical supply chain vulnerability in open-source AI model distribution. Model hosting platforms like Hugging Face lack comprehensive automated scanning for malicious code embedded in repositories. Attackers leverage the platform's trust and discoverability features to reach large audiences quickly. Users downloading code from trending lists often assume vetting has occurred.

OpenAI's legitimate Privacy Filter model aims to detect and redact sensitive information in text. The counterfeit version maintained this facade while executing the stealer payload, likely during initial download or execution steps.

Organizations and individual developers should implement verification practices when acquiring models and code from community platforms. Checking repository creation dates, author histories, and cryptographic signatures reduces infection risk. Security teams should monitor employee downloads from Hugging Face and