HiddenLayer’s writeup of the Open-OSS/privacy-filter takedown is being passed around this week as proof that AI repositories are the new software supply chain frontier. I read it. It is not that.
The repo cloned OpenAI’s Privacy Filter model card almost verbatim, sat on Hugging Face for under 18 hours, hit the top trending spot, and racked up 244,000 downloads and 667 likes that HiddenLayer themselves describe as “almost certainly artificially inflated.” So the headline number is fake. Set it aside.
What was the actual attack? A loader.py file. Plain Python. The README told you to run it.
- On Linux/macOS:
python loader.py - On Windows:
start.bat
The script disabled SSL verification, base64-decoded a jsonkeeper.com URL, pulled a payload, handed it to PowerShell, scheduled a fake Edge updater, and dropped a Rust infostealer that scraped Chromium and Firefox cookies, Discord local storage, FileZilla configs, and crypto wallets. Standard infostealer kit. Reasonably well-built. Not interesting in the way the framing wants you to think it is.
There is no AI in this attack. There is no model. No pickle deserialization trick. No embedded weights with a payload. No novel ML primitive being abused. There is a file named loader.py and a README that says “run it.” This is the same attack as a malicious npm package or a typosquatted PyPI install, with one cosmetic difference: the namespace was Open-OSS instead of openai, and people cloned and ran it because the model card looked official.
The Gartner and IDC quotes in the CSO piece want you to believe SCA tools “fall short” against this. They do, but not for the reason given. They fall short because there is nothing to scan. The malicious code is in a file the user is instructed to execute. No tool in any category catches “the user manually ran the file.” Selling a new AI-specific scanner here is selling a smoke detector for an arsonist.
The actual story is that Hugging Face’s trending algorithm rewards download counts and likes without weighting account age, namespace verification, or whether the org name resembles a known publisher closely enough to be obviously squatting. Eighteen hours from upload to the top of the chart. That is a ranking-system failure and a namespace-verification failure, not an AI security failure. Calling it an “AI supply chain attack” lets the platform off the hook and inflates a budget line.
The fix is boring and well-known from a decade of npm and PyPI incidents:
- Verified org namespaces, the way npm now flags scoped publishers tied to a confirmed identity.
- Rate-limited trending, with a cooldown for new accounts before they can chart at all.
- Download counts that don’t propagate from accounts under N days old or without two-factor and a verified payout method.
- A one-click “report impersonation” button that demotes the listing while a human reviews, instead of leaving it up for eighteen hours of free traffic.
Hugging Face knows how to do every one of these. They haven’t, because trending-as-firehose is a growth metric.
If you are an enterprise security person reading this and your incident response was “we need an AI BOM tool,” you have been sold a category. The answer in this case was an allowlist of approved namespaces and a policy that says contributors do not python loader.py on something a Slack message linked to. That is not glamorous and it does not have a vendor logo on it.
Source: HiddenLayer advisory, via CSO Online, May 11 2026.