Hugging Face AI Updates: May 13, 2026

1. Malicious repository impersonating an OpenAI release tallied 244K downloads before removal

Hugging Face. Security researchers at HiddenLayer detailed a fake repository, Open-OSS/privacy-filter, that posed as an OpenAI privacy filter release and shipped a loader.py which fetched a Rust-based infostealer targeting browsers, Discord, and crypto wallets on Windows hosts. The download counter reached roughly 244,000 (likely inflated to boost credibility) and six additional repositories used identical loader logic, suggesting a coordinated supply-chain campaign against AI model registries. Source