A major AI vendor published a privacy filter model in April, advertised as a way for applications to detect and redact personal information out of unstructured text. Within weeks a copycat repository appeared on a public model hub, named to be confused with the real one and pulling the legitimate description verbatim. It also shipped a loader script that fetched and executed a Rust-based information stealer on the Windows machines that downloaded it. By the time the platform took the page down, the fake had been pulled 244,000 times and was sitting at the top of the trending list.
The trending list is the structural failure here. Public model hubs surface what is popular, the same way every open ecosystem does. Popularity is trivially gameable by an attacker who is willing to download their own model a few thousand times from a few thousand machines. The signal that says “lots of other people trust this” is the signal an attacker manufactures for free, and the typosquatted name does the rest. The platform did not promise to be a vendor risk review. Plenty of teams treated it like one anyway.
Most enterprise AI integrations now look like this. A developer needs a model. They search a public hub. They find something with the right description and a respectable download count. It goes into the stack. The vetting happens visually, on a marketing page, against a number. The integrity of the pipeline rests on a description string and a download counter, both of which are strings of characters someone else gets to type. In this particular case, the cover story was a privacy tool, which means anyone who installed it because they cared about privacy got the precise opposite of what they signed up for.
The deeper point is not that public model hubs are bad. They are useful, and an open research ecosystem is the right shape for an open research community. They are simply not curation. Treating them as the procurement channel for production AI is treating a search box as a supplier qualification process. Names on the internet are cheap. The hub never claimed otherwise.
Models you brought in, on infrastructure you run.
The local AI inside Eclipse runs on models the customer chose, vetted, and signed off on, inside the customer’s perimeter. It does not phone home to a public model hub at runtime and pull whatever happens to be trending under a familiar name. The supply chain stops at the procurement boundary, and the boundary is one the customer controls. No trending list, no typosquat, no loader script running on its way to do something unannounced. The model that runs is the one your team approved.
The Hacker News covered the fake Privacy Filter repository and the information stealer it delivered to 244,000 downloaders. https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.html