CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Android Malware Campaign Abuses Hugging Face Platform

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

A new Android malware campaign has been observed leveraging the Hugging Face platform to distribute thousands of APK payload variants designed to steal credentials from financial and payment services. The attack begins with the dropper app TrustBastion, which uses scareware-style ads and fake system update prompts to trick users into installing it. The malware then redirects to a Hugging Face repository to download the final payload, employing server-side polymorphism to evade detection and exploiting Android’s Accessibility Services to monitor activity and capture credentials. Bitdefender discovered over 6,000 commits in the repository, which was taken down but resurfaced under the name 'Premium Club.' Bitdefender published indicators of compromise and notified Hugging Face, which removed the malicious datasets. A separate infostealer campaign was uncovered on Hugging Face, where the repository 'Open-OSS/privacy-filter' typosquatted OpenAI's legitimate Privacy Filter release to distribute a Rust-based infostealer. The malicious repository achieved high visibility with over 244,000 downloads and 667 likes in under 18 hours, likely artificially inflated, and instructed users to clone and execute scripts to initiate the infection. The infostealer used evasion techniques and targeted browser passwords, session cookies, Discord tokens, crypto wallets, Telegram sessions, and other credentials. HiddenLayer urged affected users to treat their systems as fully compromised, rotate all credentials, and follow remediation steps.

Timeline

  1. 12.05.2026 12:30 1 articles · 23h ago

    Typosquatted Hugging Face Repository Distributes Rust Infostealer

    Security researchers uncovered a malicious Hugging Face repository, 'Open-OSS/privacy-filter', which typosquatted OpenAI's legitimate Privacy Filter release by copying its model card almost verbatim. The repository achieved high visibility with over 244,000 downloads and 667 likes in under 18 hours, likely artificially inflated, and instructed users to clone the repository and execute start.bat (Windows) or python loader.py (Linux/macOS) directly. The attack chain involved a base64-encoded string in the Python script that ultimately dropped a Rust-based infostealer, which used multiple techniques to bypass security controls including hiding Windows API use, detecting debuggers and sandboxes, checking for virtual machines, and attempting to disable Windows AMSI and ETW. The infostealer targeted browser passwords, session cookies, Discord tokens, crypto wallets, Telegram sessions, and other credentials. HiddenLayer warned users who executed files from the repository to treat their systems as fully compromised and rotate all credentials stored on the affected host.

    Show sources
    Open in new tab
  2. 30.01.2026 00:08 3 articles · 3mo ago

    Hugging Face Abused to Distribute Android Malware

    The infection chain begins when users download the malicious Android app TrustBastion, which appears as scareware via popups claiming the device is infected with malware. The dropper app prompts users to run an update that mimics legitimate Google Play and Android system update dialog boxes. The dropper contacts an encrypted endpoint hosted at trustbastion[.]com, which returns an HTML file containing a redirect link to the Hugging Face repository hosting the malware. The malware masquerades as a 'Phone Security' feature to guide users through enabling Accessibility Services. The malware requests permissions for screen recording, screen casting, and overlay display to monitor all user activity and capture screen content. The malware captures lockscreen information for security verification of financial and payment services.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

TrickMo C Variant Adopts TON Blockchain for Decentralized C2 and Expands Network Pivot Capabilities

A new variant of the TrickMo Android banking trojan, designated TrickMo C, has fully transitioned its command-and-control (C2) infrastructure to The Open Network (TON) Blockchain, using .adnl identities to evade traditional domain-based takedowns and embedding a native TON proxy at launch. The variant, identified in campaigns between January and February 2026, targeted banking and wallet users in France, Italy, and Austria via TikTok-themed lures distributed through Facebook ads and dropper apps impersonating Google Play Services. TrickMo C retains core device-takeover capabilities, including credential phishing, keylogging, screen streaming, OTP suppression, and real-time remote control, while expanding operational roles by incorporating a network-operative subsystem for reconnaissance and authenticated SSH tunneling and SOCKS5 proxying. Infected devices are repurposed as programmable network pivots, enabling lateral movement and traffic masquerading as originating from the victim's IP, thereby defeating IP-based fraud detection.

Open in new tab

Self-propagating North Korean job-scam malware spreads via compromised developer projects in software supply chain

A North Korean state-aligned actor has transformed fake job recruitment scams into a self-propagating supply-chain attack dubbed "Contagious Interview" that infects developer workstations and propagates via compromised repositories. Void Dokkaebi (aka Famous Chollima) abuses legitimate development workflows by luring developers with fake interviews, then delivering malware via malicious VS Code tasks or hidden payloads in fonts/images. Once committed to Git repositories, the infection spreads to downstream contributors, creating a worm-like chain reaction. Developers’ credentials, crypto wallets, CI/CD pipelines, and production infrastructure are primary targets. Newly identified activity connected to the same actor’s PromptMink campaign targets cryptocurrency developers via malicious npm packages, including @validate-sdk/v2, co-authored by an AI coding assistant. The layered package strategy uses legitimate-looking tools to hide malicious payloads, with payloads evolving from credential theft to broader data exfiltration, persistence mechanisms, and cross-platform binaries. Over 60 packages and 300+ versions have been identified across seven months, with evidence of LLM integration in malware development.

Open in new tab

Intent redirection in EngageLab SDK versions 4.5.4 and earlier enabled sandbox escape on 50M Android devices

A now-patched intent redirection vulnerability in EngageLab SDK versions 4.5.4 and earlier allowed malicious apps on affected Android devices to bypass application sandboxing and gain unauthorized access to private data. At least 50 million installations across multiple apps—including more than 30 million cryptocurrency wallets—were potentially exposed. An attacker would need a malicious app installed on the same device to exploit the flaw by manipulating intent contents leveraging the SDK’s trusted context.

Open in new tab

Targeted social engineering of Axios maintainer enables UNC1069 npm supply chain compromise via WAVESHAPER.V2 implant

A maintainer of the widely used Axios npm package was targeted in a highly tailored social engineering campaign attributed to North Korean threat actor UNC1069, resulting in the compromise of npm account credentials and the publication of two trojanized versions of Axios (1.14.1 and 0.30.4). Google Threat Intelligence Group (GTIG) attributed the attack to UNC1069 based on the use of WAVESHAPER.V2 and infrastructure overlaps with past activities. The malicious packages were available for roughly three hours and injected a plain-crypto-js dependency that installed a cross-platform RAT, enabling credential theft and downstream compromise. The campaign also targeted additional maintainers, including Pelle Wessman (Mocha framework) and Node.js core contributors, revealing a coordinated effort against high-impact maintainers. The intrusion began with reconnaissance-driven impersonation of a legitimate company founder, engagement via a cloned Slack workspace and Microsoft Teams call, and execution of a fake system update that deployed the RAT. Post-incident, the maintainer reset devices, rotated all credentials, adopted immutable releases, introduced OIDC-based publishing flows, and updated GitHub Actions workflows to mitigate future risks.

Open in new tab

Malicious npm Package Targets macOS Users with RAT and Credential Theft

A malicious npm package named "@openclaw-ai/openclawai" masquerades as an OpenClaw installer to deploy a remote access trojan (RAT) and steal sensitive data from macOS systems. The package, uploaded on March 3, 2026, has been downloaded 178 times and remains available. It targets system credentials, browser data, crypto wallets, SSH keys, Apple Keychain databases, and iMessage history, while also installing a persistent RAT with remote access capabilities and a SOCKS5 proxy. The malware uses social engineering to harvest system passwords and employs sophisticated persistence and command-and-control (C2) infrastructure. The package triggers its malicious logic via a postinstall hook, re-installing itself globally and displaying a fake command-line interface to mimic an OpenClaw installation. It then retrieves an encrypted second-stage payload from a C2 server, which is decoded and executed to continue running in the background. The malware also prompts users to grant Full Disk Access (FDA) to Terminal to access protected data. The second-stage payload is a comprehensive information stealer and RAT framework capable of persistence, data collection, browser decryption, C2 communication, and live browser cloning. Collected data is exfiltrated through multiple channels, including the C2 server, Telegram Bot API, and GoFile.io. The malware also monitors clipboard content for specific patterns related to private keys and cryptocurrency addresses. The impact of this malware is significant, as it can compromise sensitive user data and provide attackers with persistent access to infected systems. The sophisticated nature of the malware, including its use of social engineering and encrypted payload delivery, makes it a serious threat to macOS users.

Open in new tab