The Cipher

Daily brief · Cyber · AI · Tech

Daily brief at 7am Melbourne. Unsubscribe any time.

← The Cipher

Sunday 10 May 2026

The AI Trust Problem: How a Fake OpenAI Repo Gamed Hugging Face and Won

A fake OpenAI repo hit Hugging Face's trending list and delivered infostealer malware — proving that AI's most trusted platforms are now prime real estate for supply chain attacks.

Lead story

The AI Trust Problem: How a Fake OpenAI Repo Gamed Hugging Face and Won

Someone put a malicious repository on Hugging Face, called it an OpenAI "Privacy Filter" project, and watched it climb the platform's trending list — all while it quietly pushed infostealer malware to anyone who downloaded it. It's a clean, damaging attack that exploits two things at once: the authority of the OpenAI brand and the implicit trust developers place in Hugging Face as a legitimate distribution platform.

The mechanics are straightforward but effective. The attackers dressed the repo to look like an official OpenAI release — convincing enough that casual users wouldn't blink. Once downloaded, Windows victims received information-stealing malware capable of harvesting credentials, session tokens, and other sensitive data. The trending-list placement is the particularly alarming part. It means the repository likely received genuine engagement signals before anyone flagged it, amplifying reach in exactly the way legitimate projects do.

This is a pattern, not an anomaly. Hugging Face has become the GitHub of the AI era — a central hub where researchers, developers, and enterprises pull models, datasets, and tools. That makes it an increasingly attractive target. We've seen malicious models planted on the platform before, but a fake branded repository hitting the trending list represents a meaningful escalation in sophistication. Attackers are now gaming discoverability, not just sneaking things into obscure corners.

The OpenAI name is doing a lot of heavy lifting here. A project framed as a privacy tool from the world's most recognisable AI lab is going to attract exactly the kind of people — developers, researchers, IT professionals — whose machines are worth compromising. The irony of a "privacy filter" being the lure isn't subtle.

For Australian organisations, this matters directly. Hugging Face is widely used across Australian universities, research institutions, and tech companies building on open-weight models. If your team pulls from Hugging Face — and statistically, if you're in AI development, they do — this is a legitimate supply chain risk. The Australian Signals Directorate's Essential Eight controls around application control and patch management help at the endpoint level, but they don't address the upstream trust problem of a compromised dependency source.

What should defenders actually do? Treat Hugging Face repositories like you'd treat any third-party dependency: verify provenance, check commit history, look for the verified organisation badge, and avoid running anything from a newly-created account regardless of how official the name looks. The trending list is a social signal, not a security signal.

The broader issue is one of platform responsibility. GitHub spent years building tooling — verified publishers, security scanning, dependency review — to make supply chain attacks harder. Hugging Face is earlier in that journey, and attackers know it. The platform will need to move faster on verification and scanning as it becomes more central to how the world builds AI systems. Until it does, the onus falls squarely on the people pulling from it.

Watch for: whether Hugging Face publishes a post-mortem, how long the repo was live before takedown, and whether any major organisations confirm downstream infections.

Also today

JDownloader's Website Hijacked to Serve Python RAT Malware

Attackers compromised the official website for JDownloader — a download manager used by millions — and swapped out legitimate Windows and Linux installers for malicious versions. The Windows payload deployed a Python-based remote access trojan, giving attackers persistent control over infected machines. The attack follows a classic playbook: target a trusted software distribution site rather than the software itself, so users have no reason to second-guess what they're downloading. Anyone who installed JDownloader from the official site during the compromise window should treat their machine as potentially compromised and rotate credentials immediately.

Bleeping Computer

cPanel and WHM Patch Three Vulnerabilities — Including a Code Execution Bug

cPanel has pushed fixes for three newly disclosed vulnerabilities in cPanel and WHM, the control panel software that underpins a significant chunk of the world's shared web hosting infrastructure. The most serious allows arbitrary code execution; the others enable privilege escalation and denial-of-service. Individual CVSS scores sit in the moderate range, but the sheer number of hosting providers running these products — including many Australian web hosts — means the attack surface is enormous. Administrators should prioritise patching, particularly given that cPanel vulnerabilities have historically attracted rapid exploitation given how widely deployed the software is.

The Hacker News

Russia's School for Elite Hackers: Leaked Documents Reveal the Curriculum

Leaked internal documents have shed light on a Russian government programme that trains an elite cadre of offensive cyber operators — covering everything from vulnerability research to operational tradecraft. The Wired report doesn't name the institution directly but describes a structured, well-resourced curriculum that mirrors what Western intelligence agencies have suspected about Russia's pipeline for developing state-linked threat actors. The disclosure is a useful primary-source window into how Russia sustains its offensive cyber capability, and a reminder that the threat actors targeting Western critical infrastructure aren't self-taught — they're institutionally produced.

WIRED Security

Nvidia Has Already Deployed $40 Billion in AI Equity Deals in 2026

Nvidia has committed USD $40 billion to equity investments in AI companies so far this year, cementing its role not just as a chipmaker but as a major structural financier of the AI industry. The strategy is deliberate: invest in the companies most likely to buy more GPUs, creating a virtuous cycle that keeps Nvidia's order books full regardless of which AI models ultimately win. It's a clever hedge — Nvidia doesn't need to pick winners if its customers are the ones building them. The scale of the commitment, roughly $40 billion in under five months, underscores how quickly the AI investment landscape is concentrating around a handful of dominant players.

TechCrunch

Musk v. Altman, Week 2: The Lawsuit Gets Stranger

The second week of Elon Musk's lawsuit against OpenAI delivered fresh drama, with Musk's own inner circle undermining his narrative. Shivon Zilis — a close Musk associate — testified that Musk had actually tried to recruit Sam Altman to join his own AI venture, complicating Musk's claim that he was purely a betrayed philanthropist. OpenAI's legal team used the testimony to argue that Musk's suit is less about principle and more about competitive frustration. The trial is becoming as much a character study as a legal proceeding, and the revelations are making it harder for Musk's team to sustain a coherent theory of wrongdoing.

MIT Technology Review

GM Settles California Driver Privacy Case for $12.75 Million

General Motors has agreed to pay $12.75 million to settle a California privacy enforcement action led by the state's Attorney General. The case centred on GM's collection and sale of detailed driver behaviour data — including sharp braking, acceleration patterns, and location history — to insurers without adequate disclosure to drivers. The settlement is one of the larger privacy enforcement actions against an automaker in the US and sets a useful precedent for connected vehicle data practices. Australian Privacy Act reforms currently being debated in Canberra include provisions that would tighten rules around this kind of secondary data use, making the GM case a relevant reference point for local policy discussions.

TechCrunch

Oracle Refuses Better Severance for Laid-Off Workers — and the Remote Worker Loophole Is the Story

Oracle laid off a significant number of workers and rejected their attempts to negotiate improved severance terms. The sharper detail: many affected employees discovered they didn't qualify for WARN Act protections — which require 60 days' notice before mass layoffs — because Oracle had classified them as remote workers. The WARN Act has a disputed exemption for employees who don't report to a physical worksite, and Oracle appears to have leaned on it. It's a legal grey area that became a very expensive grey area for former employees, and a reminder that remote-work classifications carry consequences well beyond expense reimbursements and home-office setups.

TechCrunch

AI Kids' Toys: The Regulatory Frontier Nobody Is Ready For

A new wave of AI-powered connected toys is hitting the market — devices that hold conversations, adapt to children's moods, and remember previous interactions. Ars Technica's analysis describes an industry moving faster than any regulatory framework can keep up with, with some US lawmakers already calling for outright bans. The core concerns are familiar: data collection from minors, opaque training practices, and the psychological dynamics of children forming parasocial bonds with AI companions. Australia's Online Safety Act and the Children's Online Privacy Code currently being developed by the eSafety Commissioner would likely capture some of these devices — but enforcement against offshore manufacturers remains a live question.

Ars Technica

Manufacturing Qubits That Can Move: The Flexible Quantum Computing Problem

Researchers are tackling one of quantum computing's less-discussed engineering problems: making qubits that can be physically repositioned within a chip. Current quantum processors are largely static — qubits sit in fixed locations, which creates connectivity constraints that limit circuit depth and error correction options. The challenge is that the manufacturing processes for electronics and the physical requirements for flexible geometries don't play nicely together. The research is early-stage but points toward an important direction: quantum hardware that can be reconfigured, not just reprogrammed. For anyone tracking the timeline to cryptographically relevant quantum computers, advances in qubit mobility are a key variable worth watching.

Ars Technica

ABC Refuses to Back Down as FCC Targets The View

The US Federal Communications Commission has opened an inquiry into ABC's The View under pressure from the Trump administration, in what critics are calling a direct attempt to use broadcast licensing as leverage over editorial content. ABC and parent company Disney have declined to capitulate, with the network pushing back formally against the FCC's process. The case is being watched closely as a test of how far the executive branch can use regulatory bodies to discipline media coverage — and whether broadcasters will cave under the implicit threat of licence review. The FCC's authority over broadcast content is narrowly scoped, and legal observers say ABC has a strong procedural case.

Ars Technica

Fintech Startup Parker Files for Bankruptcy and Shuts Down

Parker, a well-funded US fintech that offered corporate credit cards and banking services to e-commerce businesses, has filed for bankruptcy and ceased operations. The company had raised substantial venture capital but struggled to reach profitability in an increasingly competitive segment. Parker's collapse is another data point in the broader fintech shakeout: the easy money era that funded dozens of near-identical B2B card products is over, and investors are no longer willing to subsidise customer acquisition losses indefinitely. For Australian fintechs operating in adjacent spaces, the lesson is familiar — unit economics matter more than growth metrics when the funding environment tightens.

TechCrunch

Sources consulted