Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

TrustBastion Android malware campaign abusing Hugging Face for credential theft

Campaign
First reported
Last updated
Happening score
H score 41
2 unique sources, 2 articles

Summary

Hide ▲

A new Android malware campaign is abusing Hugging Face as distribution infrastructure to deliver polymorphic APKs that steal credentials from users of financial and payment services.

Related Happenings

Open-OSS/privacy-filter Hugging Face infostealer activity

Malware Activity
First: 11.05.2026 10:05 Last: 11.05.2026 10:05 Sources 1

About this happening: A malicious **Hugging Face repository** called **Open-OSS/privacy-filter** impersonated **OpenAI's Privacy Filter** and delivered a **Rust-based information stealer** to **Windows...

Open Happening

Sefirah infostealer delivered through a malicious Hugging Face repository

Malware Activity
First: 09.05.2026 17:26 Last: 09.05.2026 17:26 Sources 1

About this happening: A malicious **Hugging Face** repository impersonated **OpenAI’s Privacy Filter** and delivered **sefirah**, a **Rust-based infostealer**, to **Windows** users, creating credential...

Open Happening

Hugging Face Spaces vsccode-modetx dropper campaign

Campaign
First: 16.04.2026 19:58 Last: 16.04.2026 19:58 Sources 1

About this happening: The **April 12, 2026** campaign abusing **Hugging Face Spaces** broadened malicious delivery against AI platform users and increased the risk of stealthy payload execution. An att...

Open Happening

EngageLab SDK intent redirection security flaw

Vulnerability
First: 09.04.2026 20:26 Last: 09.04.2026 20:26 Sources 1

About this happening: A **now-patched intent redirection vulnerability** in the **EngageLab SDK** could let **malicious apps** bypass the **Android security sandbox** and access private data in apps us...

Open Happening

PromptSpy Android malware with Gemini-assisted persistence and spyware capabilities

Malware Activity
First: 20.02.2026 00:36 Last: 20.02.2026 00:36 Sources 1

About this happening: The **PromptSpy** Android malware family now stands out as the first known **Android malware** to use **Google Gemini** at runtime, letting it adapt app-pinning steps across devic...

Open Happening

Timeline

  1. 30.01.2026 00:08 2 articles · 3mo ago

    Bitdefender discloses Hugging Face Android malware campaign

    Initial Disclosure

    Bitdefender disclosed an Android malware campaign that abused Hugging Face as a repository for thousands of APK variants and used the TrustBastion dropper with trustbastion[.]com redirects to deliver a malicious payload. The campaign lured victims with scareware-style ads, a fake Google Play update prompt, and a decoy security-tool interface, then used server-side polymorphism to change payloads every 15 minutes, steal credentials from financial services such as Alipay and WeChat, capture screenshots, and abuse Android’s Accessibility Services; the payload-serving repository was later removed and the operation resurfaced as Premium Club.

    Show sources
    Open in new tab