Malicious AI and Software Repositories Spread Rust-Based Infostealers
Threat researchers uncovered multiple malware campaigns abusing trusted developer and AI distribution platforms to spread Rust-based infostealers through fake or typosquatted repositories. HiddenLayer found that a malicious Hugging Face project, Open-OSS/privacy-filter, impersonated OpenAI’s legitimate Privacy Filter repository, briefly became the platform’s top trending project, and was downloaded about 244,000 times before removal. The repository’s loader.py fetched a multi-stage payload ending in the sefirah infostealer, which harvested browser data, Discord tokens, cryptocurrency wallet data, SSH/FTP/VPN credentials, local files, system details, and screenshots, then exfiltrated the data to recargapopular[.]com. Researchers also linked the activity to overlaps with an npm typosquatting campaign associated with the WinOS 4.0 implant.
In a parallel campaign, Netskope reported that attackers impersonated the OpenClaw project with a fake installer site and a typosquatted GitHub organization to deliver a previously undocumented Rust dropper called Hologram and a modular implant framework. The malware targeted credentials from more than 250 cryptocurrency wallet, password manager, and 2FA browser extensions, while using anti-sandbox checks, in-memory .NET execution, reflective PE loading, persistence via Userinit, COM hijacking, and scheduled tasks, plus direct NT syscall thread injection. Operators staged and relayed infrastructure through legitimate services including Azure DevOps, Telegram, Hookdeck, snippet.host, and Pastebin; Netskope said the operation marked the first documented malware abuse of Hookdeck as a C2 relay and later evolved into a third wave, Pathfinder, that added confirmed Vidar infostealer delivery.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
12 events from the most recent confirmed update back to the earliest known activity.
QiAnXin reports fake DeepSeek TUI repos tied to OpenClaw campaign
QiAnXin Threat Intelligence Center reported that threat actors were impersonating the legitimate DeepSeek TUI project on GitHub to distribute Rust-based malware linked to the previously documented OpenClaw infrastructure. The report said the operators were rotating AI-themed brands and using Pastebin, snippet.host, Telegram, and related command-and-control infrastructure to deliver payloads and maintain persistence on Windows systems.
HiddenLayer links Hugging Face malware to broader ValleyRAT/Winos campaign
HiddenLayer said it found six additional repositories using similar malicious loaders and identified infrastructure overlap with a prior npm-based ValleyRAT/Winos 4.0 campaign. The researchers assessed the activity as part of a broader open-source supply-chain operation and suggested possible links to Chinese threat activity associated with Silver Fox.
BleepingComputer reports Hugging Face malware campaign and impact
BleepingComputer reported that the fake OpenAI-themed Hugging Face repository had been removed after reaching the top trending position and recording 244,000 downloads. The article summarized HiddenLayer's findings and warned affected users to reimage systems, rotate credentials, replace crypto wallets and seed phrases, and invalidate sessions and tokens.
Netskope publishes analysis of OpenClaw Hologram campaign
Netskope published its report on the fake OpenClaw installer campaign, detailing the Hologram dropper, the Pathfinder evolution, and the use of Hookdeck as a command-and-control relay. The company described this as the first documented malware use of Hookdeck for that purpose.
HiddenLayer publishes research on malicious Hugging Face repo
HiddenLayer publicly released research describing malware in the trending Open-OSS/privacy-filter Hugging Face repository. The report documented the impersonation of OpenAI's project and the malware delivery chain.
Netskope discloses OpenClaw campaign to vendors and CERT.br
On May 7, Netskope disclosed the fake OpenClaw installer campaign to CERT.br, Microsoft MSRC, GitHub, and Hookdeck. The notifications followed the company's investigation into the malware infrastructure and abuse of legitimate services.
Researchers discover malicious Hugging Face repository
HiddenLayer discovered the typosquatted Open-OSS/privacy-filter repository on May 7 and analyzed its malware delivery chain. The researchers also noted overlaps with an npm typosquatting campaign associated with the WinOS 4.0 implant.
OpenClaw operators rotate infrastructure into Pathfinder wave
During analysis, Netskope observed the operators shift to a third campaign wave called Pathfinder, adding new binaries including confirmed Vidar infostealer. The campaign also abused services such as Azure DevOps, Telegram, Hookdeck, snippet.host, and Pastebin for staging, telemetry, and command-and-control resilience.
Netskope observes Hologram wave using fake OpenClaw installer
Netskope Threat Labs identified an active campaign using a fake OpenClaw installer site and a typosquatted GitHub organization to deliver a previously undocumented Rust dropper named Hologram and a modular implant framework. The malware targeted credentials from more than 250 crypto wallet, password manager, and 2FA browser extensions and used multiple persistence and injection techniques.
Malicious Hugging Face repo delivers sefirah infostealer
The fake Hugging Face repository used a deceptive loader.py script to fetch and execute a multi-stage malware chain ending in the Rust-based infostealer sefirah. The malware stole browser data, tokens, wallet information, credentials, local files, system details, and screenshots, then exfiltrated data to recargapopular[.]com.
Threat actors publish typosquatted OpenAI-themed Hugging Face repository
A malicious Hugging Face repository, Open-OSS/privacy-filter, was created to impersonate OpenAI's legitimate Privacy Filter project and distribute malware. The repository briefly became the platform's top trending project and accumulated about 244,000 downloads.
OpenClaw campaign begins with earlier Vidar and PureLogs delivery waves
Netskope reported that the fake OpenClaw installer operation spanned at least three waves, with earlier stages delivering Vidar and PureLogs before evolving into a more complex framework. These earlier waves predated the later Hologram and Pathfinder activity described in the report.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Hackers Use Fake DeepSeek TUI GitHub Repositories to Deliver Malware
cybersecuritynews.com
Open sourceTrending Hugging Face Repository With 200k Downloads Executes Malware on Windows Machines - Cyber Security News
cybersecuritynews.com
Open sourceFake OpenAI Privacy Filter Repo Hits #1 on Hugging Face, Draws 244K Downloads
thehackernews.com
Open sourceMalicious Hugging Face model masquerading as OpenAI release hits 244K downloads | InfoWorld
infoworld.com
Open sourceFake OpenAI repository on Hugging Face pushes infostealer malware
bleepingcomputer.com
Open sourceOpenClaw's Hologram: Fake Installer Ships Rust Infostealer - Netskope
netskope.com
Open sourceMalware Found in Trending Hugging Face Repository "Open-OSS/privacy-filter"
hiddenlayer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malware campaigns abuse developer ecosystems via malicious npm packages and GitHub repositories
Security researchers reported multiple **software supply chain-style malware distribution** efforts abusing developer-adjacent platforms. JFrog detailed a malicious npm package, `@openclaw-ai/openclawai`, masquerading as an *OpenClaw* CLI installer; once executed, it uses a `postinstall` hook to reinstall globally and drop an obfuscated first-stage (`setup.js`) that deploys a multi-stage payload internally identified as **GhostLoader** (campaign tracked as **GhostClaw**). The malware is designed to persist and exfiltrate a broad set of sensitive data from developer workstations, including credentials (e.g., cloud config artifacts for **AWS/GCP/Azure**), macOS Keychain data, browser sessions, SSH keys, and cryptocurrency wallet/seed material. Separately, Trend Micro reported a large-scale distribution operation for the **BoryptGrab** information stealer via **100+ public GitHub repositories** that pose as legitimate tools and game cheats. The campaign uses SEO manipulation (keyword-stuffed READMEs and lookalike download pages) to drive victims from search results into redirect chains that ultimately deliver ZIP archives containing the stealer; some variants also deploy a PyInstaller backdoor (**TunnesshClient**) that establishes a reverse SSH tunnel for attacker communications. Reported indicators (e.g., Russian-language comments and related infrastructure) suggest a possible Russian nexus, and the observed targeting focuses on harvesting browser data, crypto wallets, system information, and user files.
Apr 2, 2026
Credential-Theft Malware Campaigns Targeting Windows via Social Engineering and Trusted Services
Multiple reports describe **active malware campaigns targeting Windows users** with a focus on **credential, session, and wallet theft** delivered through social engineering and abuse of legitimate services. **CharlieKirk Grabber**, a Python infostealer packaged with *PyInstaller*, is distributed via phishing, cracked software, cheats, and social-media lures; it kills browser processes (via `TASKKILL`) to access credential stores, collects passwords/cookies/autofill/Wi‑Fi data, zips the loot, uploads it to *GoFile*, and relays the download link to operators via **Discord webhooks** or **Telegram bots**. Separately, attackers are buying **Facebook ads** impersonating Microsoft to drive victims to cloned Windows 11 download pages on lookalike domains (e.g., `ms-25h2-update[.]pro`), delivering a malicious installer that steals saved passwords, browser sessions, and **cryptocurrency wallet** data; the campaign uses **geofencing/sandbox evasion** to show benign content to data-center IPs while serving malware to likely end users. Other contemporaneous activity highlights broader Windows-targeted intrusion tradecraft and adjacent threats. FortiGuard Labs reported **Winos 4.0 (ValleyRat)** phishing campaigns in Taiwan using tax and e-invoice lures, with delivery chains including malicious **LNK** downloaders, **DLL sideloading**, and **BYOVD** using the vulnerable driver `wsftprm.sys`, supported by rapidly rotating domains and cloud hosting. In LATAM, a fake bank-receipt lure delivers **XWorm v5.6** via a `.pdf.js` double-extension WSH dropper that uses junk-padding and Unicode obfuscation, then reconstructs and runs PowerShell (spawned via WMI) and abuses trusted hosting (e.g., Cloudinary) for later stages—enabling credential theft and potential ransomware follow-on. Additional reporting covered a USB-propagating **Monero cryptomining** operation capable of crossing air-gapped environments, a new Linux **SysUpdate** variant with encrypted C2 traffic (and a Unicorn Engine-based decryption approach developed during DFIR), and the **Foxveil** loader abusing **Cloudflare Pages, Netlify, and Discord** to stage shellcode and persist via services or *SysWOW64* masquerading—these are separate threats but reinforce the trend of attackers blending into trusted infrastructure and common user workflows.
Mar 21, 2026
Malware Delivery via Deceptive Distribution and Evasion Techniques
Threat researchers reported multiple active campaigns focused on **stealthy malware delivery** by abusing trusted execution paths and deceptive distribution. Trellix described attackers using **DLL side-loading** against a legitimate, signed `ahost.exe` binary associated with the *c-ares* ecosystem (commonly seen with GitKraken Desktop) by placing a malicious `libcares-2.dll` alongside the executable to trigger search-order hijacking and execute attacker code. The activity was linked to delivery of commodity malware families including **Agent Tesla, Formbook, Remcos RAT, Quasar RAT, DCRat, XWorm, Vidar Stealer, Lumma Stealer, CryptBot**, and others, with targeting observed across business functions (finance, procurement, supply chain, administration) and lures in multiple languages, suggesting regionally focused operations. Separately, Malwarebytes documented a **fake RustDesk download site** (`rustdesk[.]work`) that installs legitimate RustDesk while silently deploying a persistent backdoor framework (**Winos4.0**) via a trojanized installer (e.g., `rustdesk-1.4.4-x86_64.exe`), relying on user deception rather than exploiting a software vulnerability. Sucuri detailed a WordPress compromise where attackers modified `index.php` to perform **selective content injection/SEO cloaking**, using IP-verified logic with hardcoded **Google ASN CIDR ranges** to serve malicious content to Googlebot while showing normal content to human visitors and site owners—an evasion technique that can facilitate downstream malware distribution while reducing the chance of detection.
Mar 21, 2026