Supply Chain Attack: Malicious npm Package Distributes MicrosoftSystem64 RAT via HuggingFace
Key Takeaways
- ▸Malicious npm package evolved through 29 versions into a sophisticated binary RAT using Node.js SEA (Single Executable Application) for evasion
- ▸HuggingFace platform abused for both C2 communication and data exfiltration, compromising a major trusted resource in the ML/AI community
- ▸Threat remains fully active 6+ weeks post-disclosure with evidence of active victim surveillance and valid attacker infrastructure
Summary
In a sophisticated supply chain attack discovered in early April 2026, a malicious npm package called js-logger-pack evolved through 29 versions into MicrosoftSystem64, a full-featured remote access trojan (RAT) and info-stealer. The 81 MB binary, packaged as a Node.js Single Executable Application, was designed to evade detection by masquerading as a native executable. SafeDep first documented the threat on April 15, followed by independent confirmation from JFrog Research a week later.
MicrosoftSystem64 represents a sophisticated attack infrastructure with 24 distinct remote commands, targeting over 80 cryptocurrency wallet browser extensions, credentials from 15 browser families, SSH keys, Telegram sessions, and system clipboard data. The malware includes cross-platform persistence mechanisms (Windows Scheduled Tasks, macOS LaunchAgents, Linux systemd), a native keylogger with clipboard monitoring, and screenshot capture capabilities. Critically, the attacker abused HuggingFace datasets and model repositories as both the command-and-control channel and data exfiltration point, with the binary configured to self-update every 24 hours from a HuggingFace model repository.
As of May 28, 2026—over six weeks after initial discovery—the threat remains fully operational. Live infrastructure probing confirmed the embedded HuggingFace token was still valid, the C2 server at 195.201.194.107:8010 was accepting connections, and real victims remained under active surveillance. The security community's warnings went largely unheeded despite the dual disclosure from SafeDep and JFrog Research.
- Binary targets 80+ cryptocurrency wallets, browser credentials, SSH keys, and implements cross-platform persistence and keystroke logging
Editorial Opinion
This attack underscores a critical vulnerability in the open-source supply chain that extends into AI and ML development. The abuse of HuggingFace—a platform trusted by researchers and practitioners—as an attack vector is particularly concerning, as it demonstrates how legitimate infrastructure used for model sharing can be weaponized. The persistence of the threat months after public disclosure raises questions about security monitoring and incident response in the npm ecosystem and highlights the urgent need for stronger supply chain verification mechanisms in the ML community.
