Hugging Face hosted malicious software masquerading as OpenAI release

A malicious repository on Hugging Face, the popular AI model hub, distributed Windows infostealer malware while impersonating an OpenAI release. Security firm HiddenLayer discovered the fake model received approximately 244,000 downloads before Hugging Face took it offline. Researchers suspect attackers artificially inflated download counts to boost the repository's apparent legitimacy and visibility.

The attack exploited a fundamental trust problem in open AI platforms. Users searching for OpenAI tools or models found what appeared to be official releases hosted on Hugging Face, a platform where developers freely share machine learning projects. The infostealer malware would execute on infected Windows systems, stealing sensitive data from victims. The actual infection rate remains unclear since download counts may have been padded through automated requests.

This incident highlights growing supply chain risks in AI development. Hugging Face hosts millions of models with minimal verification barriers. While the platform enables rapid innovation and democratizes AI access, it also creates opportunities for attackers to distribute malware at scale. Bad actors simply need to craft convincing repository names and descriptions to deceive users hunting for specific tools.

The attack's success depended on social engineering rather than technical sophistication. Users trusted the repository because it mimicked official branding and appeared on an established platform. This pattern mirrors similar campaigns targeting GitHub and PyPI, where malicious packages exploit naming conventions and user confusion to achieve widespread distribution.

Hugging Face removed the malicious repository and likely took measures to flag similar threats. However, the platform faces a scaling challenge. Automated detection systems struggle to distinguish between legitimate models and trojanized versions without executing code, which creates security risks. Manual review cannot keep pace with the volume of uploads.

The incident underscores why users should verify model sources directly through official channels, use code scanning tools before executing downloads, and remain skeptical of repositories appearing in search results. Platform