Fake OpenAI Repo Hit #1 on Hugging Face—And Stole Passwords While It Trended

A malicious repository spoofing OpenAI's Privacy Filter model exploded to the top of Hugging Face downloads, accumulating 244,000 downloads in under 18 hours before the platform took it down.

The fake repo impersonated OpenAI's legitimate model with near-identical branding and naming, exploiting the trust users place in the organization's projects. Attackers embedded credential-stealing malware inside the package, capturing passwords and sensitive data from anyone who downloaded and executed the code.

The speed of the attack reveals how quickly supply chain threats propagate across machine learning ecosystems. Hugging Face hosts over 1 million models and datasets. Users often download packages with minimal scrutiny, particularly when they appear to come from trusted sources like OpenAI. The attacker leveraged this trust asymmetry to achieve massive scale in less than a day.

This incident parallels earlier supply chain attacks in the Python ecosystem where trojanized packages ranked high on PyPI before removal. Developers downloading via automated scripts or dependency managers likely executed the malicious code without manual review.

The 244,000 download figure understates actual exposure. Each download potentially compromised credentials across development environments, CI/CD pipelines, and local machines. Corporate networks using these developers' machines face downstream risk from credential theft.

Hugging Face's response time remains unclear from available reporting. Platform moderation at scale struggles when attackers can impersonate high-profile organizations within hours. The repository's rapid ascent to #1 suggests minimal automated detection caught the threat during its growth phase.

This follows a pattern of increased targeting of open source infrastructure. Attackers recognize that compromising a single popular package reaches thousands of downstream users instantly. Security researchers have flagged AI model repositories as under-protected compared to software package managers, which implement cryptographic verification and author identity checks.

The incident underscores why developers need automated scanning for supply chain threats, repository verification protocols, and sandboxed execution environments for untrusted code. Hugging Face may need stricter author verification and rate-limiting on new repository uploads during trending periods.

CATEGORY