Evolution of a Supply Chain Threat: The js-logger-pack and MicrosoftSystem64 Malware Campaign
A highly sophisticated supply chain attack has been identified within the npm ecosystem, marking a significant shift in how malicious actors leverage developer tools for large-scale distribution. The campaign centers around a package named js-logger-pack, which underwent a calculated evolutionary process to transform from a seemingly innocuous logging utility into a potent, cross-platform malware loader.
First detected in early April 2026, the threat actors utilized a “slow-burn” approach, deploying 29 incremental version updates. This incrementalism was designed to bypass traditional heuristic analysis by gradually introducing malicious logic, eventually culminating in a full-scale information stealer and Remote Access Trojan (RAT). Despite rapid public disclosure, the operation has shown remarkable resilience; as of late May, researchers confirmed that the primary command-and-control (C2) infrastructure at 195[.]201[.]194[.]107:8010 remained active and capable of receiving connections from newly compromised hosts.
The technical complexity of the campaign is further underscored by its exfiltration methodology. The attackers utilized an embedded HuggingFace API token to funnel stolen data through legitimate machine learning infrastructure. While the token was eventually flagged for revocation, the window of opportunity allowed for weeks of undetected surveillance and data harvesting from high-value targets.
Technical Analysis of the MicrosoftSystem64 Payload
The primary payload, MicrosoftSystem64, is a sophisticated 81 MB stripped ELF binary designed for cross-platform execution across Linux, Windows, and macOS. The malware is architected using Node.js v20.18.2 Single Executable Application (SEA) technology. This allows the attackers to bundle the entire Node.js runtime and complex dependencies into a single, portable executable, reducing the footprint required for deployment and bypassing the need for a pre-installed environment.
Upon successful execution, the malware establishes a persistent WebSocket connection to its C2 server. It operates via a modular command architecture, supporting 24 distinct instructions that grant attackers granular, remote control over the host system. The malware’s data harvesting capabilities are extensive:
- Browser Exploitation: It targets over 15 browser families (including Chrome, Edge, Firefox, Brave, Opera, and Safari) to extract sensitive cookies, saved credentials, and active session tokens.
- Cryptocurrency Targeting: The payload specifically scans for more than 80 cryptocurrency wallet browser extensions, aiming to exfiltrate wallet files and extension-specific metadata.
- Session Hijacking: For Telegram Desktop users, the malware compresses and exfiltrates the
tdatadirectory, enabling complete account takeover without requiring multi-factor authentication. - Lateral Movement: The malware conducts automated searches for SSH credentials (e.g.,
id_rsa,id_ed25519) and host configuration files likeauthorized_keysto facilitate movement within enterprise networks. - Continuous Surveillance: Utilizing native OS APIs—such as
SetWindowsHookExon Windows,CGEventTapon macOS, andevdevon Linux—the malware operates a built-in keylogger. This is supplemented by continuous clipboard monitoring and automated screenshots captured every 60 seconds.
Initial analysis by SafeDep revealed the emergence of the MicrosoftSystem64 second-stage payload, while subsequent research by JFrog highlighted the campaign’s innovative—and highly evasive—use of HuggingFace as a covert exfiltration channel.
Evasion Tactics: Leveraging AI Infrastructure
One of the most alarming aspects of this campaign is the weaponization of legitimate AI/ML platforms. Rather than utilizing suspicious, newly registered domains, the malware uploads exfiltrated data directly to HuggingFace repositories. By blending malicious outbound traffic with legitimate machine learning data transfers, the attackers effectively mask their activities from network-based anomaly detection systems.
Furthermore, the malware uses HuggingFace model repositories as a decentralized distribution network for updates. By checking for new binary versions every 24 hours, the threat actors can push capability upgrades and evade signature-based detection without relying on traditional, easily blocked C2 infrastructure.
To ensure longevity, the malware implements platform-specific persistence mechanisms:
- Windows: Creation of malicious Scheduled Tasks.
- macOS: Deployment of LaunchAgents.
- Linux: Implementation via
systemduser services and XDG autostart entries.
Indicators of Compromise (IoC)
| Indicator Type | Value |
|---|---|
| Binary Names | MicrosoftSystem64 (Linux), MicrosoftSystem64.exe (Windows), MicrosoftSystem64-darwin-x64/arm64 (macOS) |
| SHA-256 (Linux ELF) | b2954c945b51dbd6fa88ac72338b7fbf76dec7d9909ceada9d36b21330842c97 |
| File Size | ~85,134,080 bytes (81 MB) |
| C2 Infrastructure | 195[.]201[.]194[.]107:8010 (WebSocket/HTTP) |
| HuggingFace Host | hxxps://huggingface[.]co/jpeek998/system-releases/resolve/main |
| HuggingFace Account | jpeek998 |
| XOR Key | [90, 60, 126, 18, 159, 75, 109, 138] |
| Persistence Labels | com.launchkeeper.MicrosoftSystem64 (macOS), systemd service (Linux), Scheduled Task (Windows) |
| Install Paths | ~/.local/share/MicrosoftSystem64 (Linux), ~/Library/Application Support/MicrosoftSystem64 (macOS), %LOCALAPPDATA%\MicrosoftSystem64 (Windows) |
| Malicious npm Package | js-logger-pack (v1.1.22+) |
Security Advisory: The IP addresses and domains listed above have been defanged (e.g., using [.]) to prevent accidental execution. Analysts should only re-fang these indicators within a controlled sandbox or threat intelligence platform.