Security researchers have uncovered covert infostealer malware hidden in one of the top-ranking repositories on Hugging Face, in another example of the dangers posed by the AI supply chain.
AI security vendor HiddenLayer explained in a blog post that it had identified the Open-OSS/privacy-filter as malicious on May 7.
At the time it appeared as one of the top-trending repositories on the platform, with over 244,000 downloads and 667 likes in under 18 hours. These figures “were almost certainly artificially inflated” to make the repository appear legitimate, the report claimed.
The repo itself typosquatted OpenAI’s legitimate Privacy Filter release, copying its model card almost verbatim, HiddenLayer claimed.
Read more on Hugging Face threats: Malicious AI Models on Hugging Face Exploit Novel Attack Technique.
The attack chain for this campaign was spread over six stages. If the user landed on the malicious repository they would be instructed to clone the repo and run start.bat (Windows) or python loader.py (Linux/macOS) directly, according to the report.
The Python script contained a base64-encoded string which ultimately dropped a malicious executable – a Rust-based infostealer.
The infostealer featured multiple techniques to bypass the victim’s security controls.
“It hides its use of Windows APIs to defeat static analysis, runs checks to detect debuggers and sandboxes, looks for signs it’s running in a virtual machine (VirtualBox, VMware, QEMU, Xen), and attempts to disable Windows Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) to evade behavioral detection,” the report explained.
The malware was designed to steal browser passwords and session cookies, Discord tokens, crypto wallets, Telegram sessions, and more.
Mitigation Tactics
HiddenLayer urged any user that cloned the malicious repo and executed start.bat, python loader.py or any other file from the repository to treat their system as fully compromised.
“Because the payload is a credential-harvesting infostealer, do not log into anything from the affected host before wiping it,” the vendor explained.
“Once the host is isolated, rotate every credential that was stored in browsers, password managers, or credential stores on that machine, including saved passwords, session cookies, OAuth tokens, SSH keys, FTP credentials (FileZilla in particular), and any cloud provider tokens.”
Users should treat browser sessions as compromised even if the password was not saved, as stolen session cookies can help threat actors to bypass MFA. They should also:
- Move any cryptocurrency wallet funds to a new wallet generated on a clean device, and assume seed phrases, keystores, and wallet extension data may have been stolen
- Invalidate Discord sessions and reset Discord passwords, since tokens and master keys are explicitly targeted
- Block the IOCs in the report at egress, and hunt historically for connections to identify any other affected hosts
Infostealers continue to fuel a thriving cybercrime economy. Last month, data from KELA revealed at least 347 million credentials were originally obtained by infostealers found on around 3.9 million infected machines.
Image credit: sdx15 / Shutterstock.com
