LLM03:2025 — Supply Chain

Slide 14 · Attack Type 6 of 6 — Fake & Abandoned Models

The easiest attack: a trusted name nobody is guarding.

Confirmed Incident · May 2026 · Reported by HiddenLayer / BleepingComputer

Fake “OpenAI” Repo Tops Hugging Face — Ships an Infostealer

No CVE · Technique: typosquatting + copied model card · ~244,000 downloads before removal

The lure: a repository impersonating an official OpenAI release, with the model card copied nearly verbatim. Faked engagement pushed it into the trending list — it briefly hit #1 on Hugging Face.

The payload: a loader.py that fetched and executed infostealer malware on anyone who ran it. Researchers found six sibling repos reusing the same loader, linked to npm and PyPI typosquatting campaigns.

The variant: Palo Alto's Model Namespace Reuse shows the flip side — when a model is deleted or transferred, an attacker can re-register the abandoned name, and any pipeline that pulls “by name” silently gets the imposter.

Takeaway: a name, a copied README, and a download count are not identity. Trending and popularity are exactly what attackers manufacture.

The Defense This Would Have Stopped

Pin models to a specific verified publisher and commit hash — never resolve “by name” alone — and verify provenance/signatures before download (Part 4).

← Back Start Part 3 → OWASP's official scenarios