On the most perfectly constructed con in AI history, why the smartest people in tech fell for it, and what it says about the trust problem sitting at the foundation of the entire AI ecosystem.
Let me describe the crime scene before I describe the crime. You might appreciate this privacy fence first: https://amzn.to/4tR0itZ
May 7, 2026. Hugging Face, the platform where 800,000+ AI models live and where every serious AI developer goes to find tools, has a trending page. Just like GitHub. Just like Product Hunt. The top spot that day belongs to a repository called Open-OSS/privacy-filter.
It has ~244,000 downloads. It has ~667 likes. Its model card, the description page that tells you what the tool does, reads almost word for word like the legitimate OpenAI Privacy Filter that OpenAI had announced in April. Same language. Same formatting. Same professional polish. The kind of thing you glance at, think "yep, that's the real one," and clone onto your machine without a second thought.
When you run the setup script, your computer starts quietly sending your browser cookies, saved passwords, banking credentials, cryptocurrency wallet files, VPN configurations, and SSH keys to a server in another country.
Every single person who ran that script on a Windows machine handed a stranger their entire digital life.
~244,000 downloads in 18 hours. Number one on the platform. And nobody noticed until a team of researchers at HiddenLayer looked at the code on May 7 and immediately understood what they were looking at.
The Mechanics of the Con Are Almost Admirable
I want to walk you through exactly how this worked, because the sophistication of it matters for understanding why smart people fell for it.
OpenAI released a legitimate tool called Privacy Filter in April 2026. It was designed to detect and redact personally identifiable information from text, a genuinely useful tool for developers building applications that handle sensitive data. The announcement was real. The project was real. Developers were actively looking for it.
The attackers created a repository named Open-OSS/privacy-filter. OpenAI's legitimate version lived under openai/privacy-filter. One character difference in the organization name. The model card, the entire description, was copied nearly verbatim from the real release. The code structure looked legitimate from the outside.
Then the attackers gamed the platform.
667 fake accounts liked the repository, and download numbers were artificially inflated to push it to the top of the platform's discovery page. Hugging Face's trending algorithm, like every trending algorithm, responds to signals of popularity. When something gets thousands of downloads and hundreds of likes quickly, the algorithm concludes it must be worth surfacing to more people. So it surfaces it. To more people. Who download it. Which boosts it further. The feedback loop that was designed to help developers find good tools became the mechanism for distributing malware to 244,000 of them.
When a developer ran the setup script, here is what actually happened under the hood.
The package's postinstall hook silently executes an obfuscated JavaScript loader that spawns a base64-encoded PowerShell command, which in turn fetches and executes a second-stage PowerShell script from attacker-controlled infrastructure. That second stage downloads a Rust-based binary. The Rust binary runs quietly in the background with no visible window, removes forensic markers, and starts harvesting everything it can find.
Browser sessions. Saved passwords. Bank credentials. Crypto wallet files. VPN configurations. SSH keys. Everything your browser has ever saved. Everything your password manager might have shared with your browser. Everything that proves you are you on the internet.
Any environment where the loader.py script was executed should be treated as fully compromised. Do not log into anything from the affected host before wiping it.
Not "run your antivirus" or "change your passwords" but Wipe the machine. The security researchers who found this were not interested in half-measures.
Why AI Developers Are the Perfect Target and Nobody Talks About It
Here is the part that I find genuinely uncomfortable to say, but somebody has to.
AI developers are, as a community, unusually trusting of code from repositories they recognize. This is not stupidity. The entire open-source AI ecosystem runs on the assumption that shared repositories are what they say they are. You find a model on Hugging Face, you clone it, you run it, you build with it. That workflow is the foundation of how the field moves so fast.
The same workflow is a perfect attack surface.
Public AI repositories combine recognizable brands, executable code, and rapid user pickup in one workflow. Together, those conditions give attackers a practical distribution surface because users can move from search to download to local execution in minutes, while popularity signals and familiar project structure do part of the persuasion work.
The person who carefully checks every npm package for suspicious postinstall hooks, who reads the source code of every PyPI library before running it, who maintains strict sandboxing for unknown dependencies, that person clones a top-trending Hugging Face repository impersonating an OpenAI release and runs the setup script without blinking. The trust they have built into their workflow around one category of software does not automatically extend to another.
The attackers understood this. They chose Hugging Face specifically because it sits in the category of "trusted infrastructure" for AI developers in a way that a random GitHub account from an unknown user does not.
The Crypto Wallet Detail Is Where This Gets Personal
I want to pause on one specific part of what was stolen.
Cryptocurrency wallet files.
A significant percentage of the developers building on Hugging Face in 2026 are also, separately, participants in the crypto ecosystem. The wallets on their machines may contain meaningful sums. The people whose machines got compromised in this attack did not just lose their banking credentials. They potentially lost their entire crypto holdings to a drain that could execute within hours of the initial compromise, long before they noticed anything unusual.
Crypto transactions are irreversible. There is no fraud department. There is no chargeback. There is no "we noticed unusual activity on your account." When a wallet gets drained by a key that was stolen from a compromised machine, the money is gone. Not recoverable. Not insured. Just Gone.
~244,000 downloads. Even if only a small percentage ran the script. Even if only a small percentage of those had crypto holdings on the same machine. The math of the theft is not small.
The Platform's Response Is the Part That Should Bother You Most
Hugging Face removed the repository after HiddenLayer reported it on May 7.
That sentence contains the timeline that matters. The repository reached number one on the trending page. It accumulated ~244,000 downloads. It sat there, openly listed, for long enough to become the most popular AI tool on the platform that day. And it was removed after external security researchers noticed it and reported it.
The platform's own detection systems did not catch it. The trending algorithm actively amplified it. The social proof that the algorithm generated, look how popular this is, look how many downloads it has, was the weapon.
The repository reached the #1 trending position on Hugging Face within 18 hours, highlighting how public AI repositories are becoming a new software supply chain attack vector.
A new attack vector. Not a bug in the code. Not a vulnerability in the model. The distribution platform itself, specifically the trust and discoverability mechanisms that make it valuable, was the vulnerability.
The fix that Hugging Face has yet to fully deploy is a hard one. How do you verify that a trending repository is what it says it is without destroying the speed and openness that makes the platform useful in the first place? Identity verification for organizations would help. Slower trending amplification for newly created accounts would help. Automated code scanning for known malicious patterns would help. None of these are deployed comprehensively. All of them have costs in friction and openness that the platform has historically been reluctant to accept.
Meanwhile, the attackers have already moved on. Related loader infrastructure appeared in other repositories, along with a likely overlap with a broader campaign targeting open-source ecosystems. The Open-OSS/privacy-filter account is gone. The six other malicious repositories linked to the same infrastructure are presumably also gone. The campaign has already been repackaged and will reappear under a different name, impersonating a different legitimate tool, the next time a major AI company releases something developers are actively searching for.
What You Should Actually Do If You Work With AI Tools
I want to be practical here because "be more careful" is advice that sounds good and changes nothing.
Verify the organization name character by character before cloning anything. openai/privacy-filter and open-oss/privacy-filter look almost identical at a glance. The difference is the organization. Check the organization's profile. If it has two repositories and was created last week, that is your answer.
Never run a setup script from a freshly cloned repository on your main development machine. Use a virtual machine or a containerized environment for anything you have not previously verified. The few minutes this adds to your workflow will feel very reasonable the first time something suspicious fires in the container and has no path to your real credentials.
Check your machines against the indicators of compromise published by HiddenLayer if you cloned anything from Hugging Face's trending page in early May 2026. The specific file hashes and command-and-control domains are publicly listed. If your security tooling has not already flagged them, running a manual check against the published IOCs takes twenty minutes and tells you definitively whether you were affected.
And if you were affected, you already know what the researchers said. Wipe the machine. Do not log in to anything first. The cost of wiping a development environment is real and annoying. The cost of not wiping a compromised one is everything else.
The Larger Point That This Story Is Actually About
The AI ecosystem is being built at a speed that the security infrastructure underneath it was not designed for. 800,000 models on Hugging Face. Thousands of new ones uploaded every week. A community of developers who are brilliant, fast-moving, and operating with a level of trust in their tools that the current threat landscape no longer justifies.
The attackers have figured this out. The fact that they chose Hugging Face, chose to impersonate OpenAI specifically, chose to target the exact moment when developers would be searching for a newly announced tool, tells you that someone spent time understanding the ecosystem before deploying the attack. This was not opportunistic. It was researched.
The AI community builds tools to understand the world and to make systems smarter. The people targeting that community are studying the community with the same rigor that the community applies to its own problems.
244,000 downloads. Number one trending. Gone before most of the affected developers knew they had a problem.
The smartest people in technology got got by a typo in an organization name and a trending algorithm that did exactly what it was designed to do.
That should humble all of us.
Sources: HiddenLayer Research "Malware Found in Trending Hugging Face Repository Open-OSS/privacy-filter," May 7, 2026; The Hacker News "Fake OpenAI Privacy Filter Repo Hits #1 on Hugging Face," May 11, 2026; Security Boulevard "Fake OpenAI Repository on Hugging Face Pushes Infostealer Malware," May 11, 2026; CSO Online "Malicious Hugging Face model masquerading as OpenAI release," May 2026; Fyntralink "Fake OpenAI Model Steals Bank Credentials via Hugging Face," May 2026; Winbuzzer "Fake OpenAI Repository on Hugging Face," May 2026. Nothing here is security or legal advice.
Disclaimer: This blog contains affiliate links, I may earn a small commission if you purchase through them, at no additional cost to you. Your support is appreciated.