Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Sefirah infostealer delivered through a malicious Hugging Face repository

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

A malicious Hugging Face repository impersonated OpenAI’s Privacy Filter and delivered sefirah, a Rust-based infostealer, to Windows users, creating credential-theft risk. The repository briefly hit #1 on the platform and was reported to have 244,000 downloads before removal. The payload chain used a deceptive `loader.py`, a downloaded `start.bat`, and Microsoft Defender exclusion changes to execute the malware. Stolen data was compressed and sent to recargapopular[.]com for exfiltration.

Related Happenings

Grafana Labs Says GitHub hit by cyberattack

Incident
First: 17.05.2026 10:13 Last: 17.05.2026 10:13 Sources 1

About this happening: A **Grafana Labs** incident was later tied to the **Mini Shai-Hulud** supply-chain campaign against **TanStack npm packages**. Grafana said an unauthorized party used a token to a...

Open Happening

Open-OSS/privacy-filter Hugging Face infostealer activity

Malware Activity
First: 11.05.2026 10:05 Last: 11.05.2026 10:05 Sources 1

About this happening: A malicious **Hugging Face repository** called **Open-OSS/privacy-filter** impersonated **OpenAI's Privacy Filter** and delivered a **Rust-based information stealer** to **Windows...

Open Happening

Hugging Face shared-loader supply chain campaign

Campaign
First: 11.05.2026 10:05 Last: 11.05.2026 10:05 Sources 1

About this happening: A **Hugging Face** repository cluster appears to be part of a **broader supply chain campaign** that used **shared loaders** to push a stealer through open-source model downloads....

Open Happening

TCLBANKER banking trojan activity targeting 59 financial platforms

Malware Activity
First: 08.05.2026 21:12 Last: 08.05.2026 21:12 Sources 1

About this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...

Open Happening

Ministry of Justice and Legal Affairs of Oman hit by network compromise

Incident
First: 06.05.2026 16:00 Last: 06.05.2026 16:00 Sources 1

About this happening: The **Ministry of Justice and Legal Affairs of Oman** suffered an **active intrusion** that exposed **session logs** and **more than 26,000 user records**, raising risk to judicia...

Open Happening

Timeline

  1. 09.05.2026 17:26 1 articles · 18d ago

    HiddenLayer discovers malicious Open-OSS/privacy-filter repository

    Detection Ioc Update

    HiddenLayer discovered a malicious Open-OSS/privacy-filter repository on Hugging Face on May 7, 2026 after it typosquatted OpenAI's legitimate Privacy Filter release, copied its model card nearly verbatim, and used loader.py to fetch and execute infostealer malware on Windows machines.

    Show sources
    Open in new tab
  2. 09.05.2026 17:26 2 articles · 18d ago

    Hugging Face removes trending malicious repository after reports

    Initial Disclosure

    The malicious Open-OSS/privacy-filter repository briefly reached #1 on Hugging Face, accumulated 244,000 downloads, and was removed after reports to the platform on May 9, 2026.

    Show sources
    Open in new tab