hugging-face - TrustStrike Labs

threat

2026-05-09

A fake OpenAI repository on Hugging Face reached the trending #1 spot before getting caught - 244,000 downloads delivered an infostealer that grabs browser passwords, crypto wallets, and Discord tokens

HiddenLayer disclosed a malicious Hugging Face repository called Open-OSS/privacy-filter that typosquatted OpenAI's legitimate Privacy Filter project. The repo copied the original model card almost verbatim and shipped a loader.py file that, on Windows, fetched and executed an infostealer. The repo briefly hit Hugging Face's trending list at #1 and accumulated 244,000 downloads before the platform pulled it on May 7. The loader runs in an invisible PowerShell window, escalates privileges, adds itself to Microsoft Defender exclusions, and deploys Sefirah - a Rust-based infostealer that targets browser credentials, Discord tokens, cryptocurrency wallets, and SSH keys.

hugging-face fake-openai privacy-filter sefirah rust-infostealer hiddenlayer typosquat 244k-downloads ai-brand-impersonation crypto-wallets discord-tokens npm-typosquat-link

Check: Search proxy and DNS logs for connections to Hugging Face repository 'Open-OSS/privacy-filter' or downloads of 'loader.py' tied to it since April. Hunt Windows endpoints for sefirah.exe and unfamiliar Microsoft Defender exclusions.
Affected: Windows machines whose users downloaded from Open-OSS/privacy-filter between late April and May 7. AI/ML developers are the highest-risk role. Acute risk: developers whose machines hold cryptocurrency wallets, Discord tokens, and SSH keys to production. Cryptocurrency holders specifically targeted by Sefirah's wallet-extraction modules.
Fix: Block Open-OSS/privacy-filter at the network egress layer. For machines that may have run the loader: rotate every browser-stored credential, Discord token, SSH key, and cryptocurrency wallet seed. Enforce signature verification for Hugging Face models pulled into production. Treat all Hugging Face repositories as untrusted by default. Apply HiddenLayer's published Sefirah IoCs.

vulnerability

CVE-2026-25874

2026-04-28

Hugging Face's LeRobot robotics framework has an unpatched flaw that lets remote attackers run code with no authentication (CVE-2026-25874)

Researchers disclosed a critical unauthenticated remote code execution flaw in Hugging Face's LeRobot, the open-source framework used to train and deploy ML models on physical robots. CVE-2026-25874 sits in the framework's web interface, which by default listens on all network interfaces with no authentication - quick for demos, but a hard fail when the demo box ends up on a corporate network. There is no patch yet. Hugging Face has been notified but hasn't released a fix. Particularly serious because LeRobot is usually attached to actual robotic hardware, so a compromise can mean unsafe physical actions.

hugging-face lerobot robotics unauthenticated-rce unpatched ml-infrastructure

Check: If your team uses Hugging Face LeRobot anywhere, take the web interface off any reachable network and bind it to localhost-only until a patch is released.
Affected: All current versions of Hugging Face LeRobot with the web interface enabled. CVE-2026-25874, unauthenticated RCE, no patch available. Acute risk for research labs, robotics startups, and university labs running LeRobot demos where the host has any network reachability. Manufacturing or warehouse environments using LeRobot for production robotics are at the highest risk because compromise can drive physical actions.
Fix: Bind LeRobot's web interface to 127.0.0.1 only and tunnel through SSH for remote access. If localhost-only isn't workable, put the interface behind an authenticated reverse proxy (nginx with basic auth, Cloudflare Access, Tailscale). Block direct internet access to any LeRobot host at the firewall. Watch the LeRobot GitHub for the patch. Don't run LeRobot on the same host as production robotic control systems.