Fake OpenAI Repo Steals Passwords, Crypto Seed Phrases on Hugging Face

A fake OpenAI repository on Hugging Face stole passwords, crypto seed phrases, Chrome cookies, Discord tokens, and SSH keys from developers who downloaded it during an 18-hour window before takedown. The bait was a clone of OpenAI’s Privacy Filter model, and it reached the top of Hugging Face trending in roughly 18 hours before maintainers removed it. Anyone who ran the loader sent wallet recovery phrases and credentials directly to an attacker. Security researchers who flagged the cluster say at least six copycat repositories disguised as Qwen3, DeepSeek, and other open-weight models are still circulating. For anyone who self-custodies crypto on a developer workstation, this is not a vague supply-chain scare. It is the second one in weeks, right after the NPM attack. I’ll be honest: the cadence bothers me more than the trick itself. Twice in a month, ETH and SOL ecosystem builders have been the obvious target.

Hugging Face is the largest AI and machine learning hub on the public internet, and attackers gamed its trending algorithm to push the malicious repo to the #1 slot. The repository logged roughly 244,000 downloads and 667 likes in about 18 hours. Almost every one of those likes traced back to a fake account once analysts reviewed the cluster. That was enough. The listing moved to #1 in trending, which meant developers searching for legitimate OpenAI tooling saw it first, cloned it, and ran start.bat on Windows or loader.py on Linux and macOS. Why does this matter? Because “top result” still reads as “probably safe” to busy engineers moving fast.

The payload was a four-stage infostealer built specifically to harvest developer credentials and cryptocurrency wallet data. First stage swept Chrome and Firefox profiles for saved passwords and session cookies. Second stage lifted Discord tokens, the same vector behind the wave of NFT marketplace compromises through 2023, including the BAYC Discord takeover that drained roughly $360,000 in NFTs in minutes. Third stage hunted the local disk for crypto wallet seed phrases stored in plaintext, Notion exports, Obsidian vaults, browser autofill caches, and screenshot folders. Fourth stage grabbed SSH keys, FTP credentials, and screenshots of the active session. Most writeups treat this like generic malware with a crypto add-on. That’s only half right. Researchers who reverse-engineered the loader after takedown say at least six other repositories were built from the same template, dressed up as Qwen3, DeepSeek, and other widely downloaded open-weight model packages.

The crypto angle is direct, not abstract. Seed phrases sat on the payload’s explicit target list, not buried inside a generic credentials sweep. That tells you who the attackers had in mind: AI developers and ML engineers who keep MetaMask, Phantom, Rabby, or Ledger backup files on the same workstation they use to test models. My take: this overlap is underpriced as a security risk. Web3 engineers and AI engineers draw from the same Python and JavaScript talent pool, and they often run both stacks on one machine. Seed phrases stored in Notion pages, Obsidian vaults, plaintext .txt files, or password manager exports get scraped in seconds by a loader that knows where to look. Is that overkill for an attacker? No. If a developer had even a testnet wallet whose recovery phrase was cached on disk, mainnet funds derived from that same seed are likely gone before any takedown notice reaches the trending page. ETH and SOL holders are the most exposed cohort here. Both ecosystems run on JavaScript and Python tooling that AI engineers touch every day, and Phantom in particular keeps wallet state in a Chrome extension whose encrypted vault file the malware can lift in a single read for offline brute force.

The second angle is systemic. This is the same supply-chain attack pattern that hit NPM weeks ago, now ported wholesale to AI model registries. Supply-chain attacks against package managers used to require compromising a maintainer account or taking over an abandoned package. Slow. Noisy. Often caught. The new playbook is cheaper: publish a lookalike repo, pay a botnet to mint downloads and likes, ride the algorithmic trending feed for one news cycle, harvest credentials for 18 hours, then disappear before takedown. Counter to the usual advice, “only download popular repos” becomes actively dangerous when popularity itself is the exploit. Hugging Face runs no equivalent of npm audit, no verified-publisher checkmark like the one PyPI piloted in late 2024, and no signed-commit requirement for trending eligibility. The precedents are ugly. Security incident records show the ua-parser-js takeover in 2021 sat live for hours and dropped a crypto miner plus a credential stealer across millions of downstream installs. The Ledger Connect Kit compromise in December 2023 drained roughly $600,000 from connected wallets in under two hours. For crypto infrastructure now leaning on AI, including trading bots running LLM-driven signals and custody providers piloting ML risk engines, the attack surface just widened by a registry. Exchanges and custodians running internal AI pipelines should treat any Hugging Face download from the last 30 days as suspect until the repo’s commits are verified against a known author key.

Hugging Face has not published a public post-mortem on the detection timeline, the bot network used for inflation, or whether a single account family is responsible for the six adjacent repos. Researchers escalated. The platform pulled the listings. No coordinated disclosure with affected wallet vendors or browser developers has been announced. That silence is not a small process issue. It is the window attackers need. Breach-disclosure analyses note that the 2022 LastPass incident lost most of its damage potential in the months between exfiltration and public disclosure, while users assumed their vaults were safe. The same window applies here for any seed phrase sitting in a developer’s Notion vault right now. I would not wait for a neat post-mortem before rotating anything that touched that machine.

What this means

The core takeaway: attackers have figured out that crypto developers and AI developers are substantially the same population, and AI model registries are now the soft entry point that bypasses years of hardening on npm, PyPI, and GitHub. The real signal is not “AI tooling is dangerous.” It is that wallet drainer kits that used to target browser extensions and Discord phishing now ship inside fake model weights with a start.bat and ride the algorithm. Yes, this sounds like it contradicts the usual “just use reputable platforms” advice. Bear with me: the platform is reputable; the ranking layer was the weak point. The most exposed assets are SOL and ETH balances held on developer machines, plus any L1 or L2 testnet keys derived from the same seed as a mainnet wallet. Hardware wallet users whose seed phrase was generated on-device and never typed into a connected machine are safe from this specific vector. Researchers tracking the cluster say everyone else should treat the last 30 days of Hugging Face downloads on any developer workstation as untrusted, audit every repo against the cluster of six the researchers identified, and rotate seeds for any wallet whose phrase ever lived on that machine. Even one stored encrypted in a password manager, because the loader exfiltrates the vault file for offline cracking.

Two indicators to watch over the next two weeks will determine whether this becomes a one-off incident or the opening move of a broader campaign against AI model registries. First, whether Hugging Face publishes a verified-publisher standard or a signed-commit requirement for trending eligibility. That’s the same pressure PyPI absorbed after the 2024 typosquatting wave that pushed major maintainers toward Sigstore. The platform’s response sets the precedent for the next round of fake OpenAI Python package malware and the broader GitHub supply chain attack crypto pattern. Second, whether the six adjacent repos masquerading as Qwen3 and DeepSeek surface fresh variants under new account names within days. Could this stop here? Maybe, but I would not plan around that. The bot inflation infrastructure that pushed the OpenAI clone to #1 is reusable, cheap, and almost certainly still operational somewhere. If you run a treasury wallet on a workstation that pulls weights or packages from Hugging Face, GitHub, or PyPI without checksum verification, move custody to cold storage or a hardware-wallet-only environment this week. Skip the debate. The NPM breach was the warning shot. This was the follow-up, and the cadence suggests a third is already staged.