Deconstructing the Hugging Face Supply Chain Campaign: Algorithm Manipulation and the Rust Infostealer Chain
In a sophisticated demonstration of social engineering and supply chain exploitation, threat actors leveraged the inherent trust within the Hugging Face ecosystem to distribute a potent Rust-based infostealer. The malicious repository, masquerading as Open-OSS/privacy-filter, successfully manipulated the platform’s trending algorithm to gain massive visibility before security researchers intervened.
The campaign utilized “typosquatting”—a technique where attackers mimic legitimate projects to deceive users. By cloning the model card of OpenAI’s official Privacy Filter almost verbatim, the attackers created a veneer of authenticity. The only subtle deviation was found in the README, which deviated from standard ML workflows by instructing Windows users to execute start.bat or Unix users to run loader.py, effectively bypassing the standard installation protocols used by the legitimate project.
The scale of the deception was significant. Within a mere 18-hour window, the repository amassed approximately 244,000 downloads and 667 likes. Technical analysis of the account engagement revealed a pattern of highly formulaic naming conventions (e.g., firstname-lastname###), strongly indicating that the repository’s “trending” status was artificially inflated via botnets to bypass human skepticism.

On May 7th, 2026, security researchers at HiddenLayer identified the malicious payloads embedded within the repository. The attack lifecycle is characterized by a multi-stage execution chain designed for maximum evasion.
Technical Execution Chain: From Loader to Payload
The infection vector begins with loader.py. To evade initial heuristic analysis, the script executes “decoy” code, including a DummyModel class and simulated training outputs, to simulate a standard machine learning environment.

The script subsequently invokes a function titled _verify_checksum_integrity(). Despite its benign name, this function performs several highly suspicious operations: it disables SSL verification, decodes a hard-coded Base64 URL pointing to a jsonkeeper.com paste, and extracts a command string which is then passed directly to PowerShell. This entire process is wrapped in a bare exception handler to ensure that any execution errors are silently suppressed, preventing user notification.
On Windows targets, the payload utilizes a stealthy PowerShell invocation: powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command [cmd]. By leveraging the CREATE_NO_WINDOW (0x08000000) creation flag, the attackers ensure no console window ever appears on the user’s desktop. Notably, the payload is designed to fail silently on Linux and macOS, specifically targeting Windows environments to minimize the “noise” of failed cross-platform execution.
The secondary stage involves a PowerShell one-liner that fetches an update.bat file from api.eth-fastscan.org—a domain strategically chosen to impersonate a blockchain analytics API to blend in with legitimate crypto-related network traffic. Once executed, update.bat performs the following high-privilege maneuvers:
- Privilege Escalation: Checks for administrative rights and attempts UAC elevation.
- Defense Evasion: Downloads the final payload (named
sefirah) and immediately adds Microsoft Defender exclusions for the target directories (%TEMP%,%LOCALAPPDATA%, etc.). - One-Shot Execution: Instead of maintaining long-term persistence (which is easily detected), the script creates a scheduled task spoofing a Microsoft Edge update (e.g.,
MicrosoftEdgeUpdateTaskCore[a-z0-9]{8}) to run the payload as SYSTEM, triggers it once, and then deletes the task.
The Final Payload: High-Performance Rust Infostealer
The ultimate objective is a ~1.07 MB Rust-compiled binary. The choice of Rust provides the attacker with high performance and a significantly harder target for reverse engineering compared to interpreted scripts. This binary is heavily fortified with anti-analysis techniques, including:
- Environment Checks: Detection of debuggers, sandboxes, and virtualized environments (VMware, VirtualBox, QEMU, Xen).
- Security Tool Neutralization: Attempts to disable the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW).
Once active, the malware deploys parallel collection threads to harvest sensitive data, including:
- Browser Data: Chromium and Gecko profile secrets, cookies, and DPAPI-protected login databases.
- Communication & Crypto: Discord tokens/master keys, cryptocurrency wallet extensions, and local wallet directories.
- Infrastructure Credentials: FileZilla/FTP credentials, SSH keys, and VPN configurations.
- Visual Intelligence: Full-screen PNG screenshots of the user’s desktop.
Exfiltration is handled via HTTPS using WinHTTP, with collected data being serialized into JSON, compressed, and sent to a C2 server at recargapopular.com using a Bearer token.
Incident Response & Remediation
This is not a “suspicious” event; it is a full system compromise. Because the payload aggressively targets active sessions and credential stores, any Windows machine that executed files from the Open-OSS/privacy-filter repository must be considered breached.
Recommended Actions:
- Isolate and Reimage: Prioritize the full wiping and reinstallation of the operating system on affected hosts.
- Credential Rotation: Immediately rotate all passwords, API keys, and tokens that were stored or accessed on the compromised machine.
- Session Invalidation: Force a logout/invalidation of all active Discord, browser, and VPN sessions.
- Audit: Review network logs for unusual outbound traffic to
recargapopular.comoreth-fastscan.org.