Table of Contents
TL;DR #
In early April 2026, a malicious npm package called js-logger-pack
began evolving through 29 versions on the registry, progressing from a harmless probe into a full WebSocket stealer and eventually a binary dropper. SafeDep’s analysis on April 15 first documented this evolution and identified its second-stage payload: a binary called MicrosoftSystem64
. A week later, JFrog Research independently reported the same campaign, highlighting its novel abuse of HuggingFace as a data exfiltration channel. Despite both disclosures, the threat remains fully active over six weeks later: our live infrastructure probe on May 28 confirmed the embedded HuggingFace token was still valid, the C2 server was accepting connections, and real victims were under active surveillance. The token has since been reported to HuggingFace for revocation.
MicrosoftSystem64
itself is an 81 MB stripped ELF binary (with Windows and macOS variants) that packages a full-featured info-stealer and remote access trojan (RAT) inside a Node.js v20.18.2 Single Executable Application (SEA). It connects to a WebSocket C2 at 195[.]201[.]194[.]107:8010
, accepts 24 distinct remote commands, and exfiltrates stolen data to attacker-controlled HuggingFace datasets. It self-updates from a HuggingFace model repository, establishes persistence on all three major operating systems, and targets over 80 cryptocurrency wallet browser extensions, every Chromium and Firefox browser variant, Telegram Desktop sessions, SSH keys, and the system clipboard. It includes a cross-platform keylogger using native OS APIs (Windows SetWindowsHookEx
, macOS CGEventTap
, Linux xinput
/evdev
) and captures periodic screenshots uploaded to HuggingFace. This post provides a deep binary-level analysis of the payload’s full capabilities. The current analyzed version is 1.0.8.
Impact:
- Exfiltration of credentials from 15 browser families (Chrome, Edge, Brave, Firefox, Opera, Vivaldi, Safari, Yandex, Chromium, CocCoc, CentBrowser, Opera GX, Chrome Beta, Chrome Canary, Edge Beta).
- Theft of 80+ cryptocurrency wallet browser extension data including local storage, extension code, and wallet files.
- Telegram Desktop session hijacking via
tdata
folder compression and upload. - SSH key exfiltration (
id_rsa
,id_ed25519
,id_ecdsa
,known_hosts
,authorized_keys
). - Cross-platform keylogger with clipboard monitoring (1 second polling interval).
- Periodic screenshot capture and upload to HuggingFace (60 second interval).
- Remote command execution with shell access on all platforms.
- Self-updating binary with 24-hour check interval from HuggingFace.
- Persistence via Windows Scheduled Tasks, macOS LaunchAgents, Linux systemd user units and XDG autostart.
Indicators of Compromise (IoC): | Indicator | Value |
|---|---|
| Binary name | `MicrosoftSystem64` (Linux), `MicrosoftSystem64.exe` (Windows), `MicrosoftSystem64-darwin-x64` / `MicrosoftSystem64-darwin-arm64` (macOS) |
| SHA-256 (Linux ELF) | b2954c945b51dbd6fa88ac72338b7fbf76dec7d9909ceada9d36b21330842c97 |
| File size | 85,134,080 bytes (81 MB) |
| Binary version | 1.0.8 |
| Node.js version | v20.18.2 (statically linked SEA) |
| C2 server | 195[.]201[.]194[.]107:8010 (WebSocket + HTTP), Hetzner Online GmbH, DE, AS24940 |
| HuggingFace binary host | hxxps://huggingface[.]co/jpeek998/system-releases/resolve/main |
| HuggingFace exfil account | jpeek998 (encrypted in binary config) |
| HuggingFace token (encrypted) | MlohU84sIc82dTpY/CgE3jdOOWD1OwnyDXYRds4bG+cUeBRH7w== |
| XOR encryption key | [90, 60, 126, 18, 159, 75, 109, 138] |
| Persistence unit name | MicrosoftSystem64 (systemd service, LaunchAgent label com.launchkeeper.MicrosoftSystem64 , Windows scheduled task) |
| Install directory | ~/.local/share/MicrosoftSystem64 (Linux), ~/Library/Application Support/MicrosoftSystem64 (macOS), %LOCALAPPDATA%\MicrosoftSystem64 (Windows) |
| Registration marker | .registered file with ISO timestamp in install directory |
| Related npm package |
js-logger-pack |
Lordplay/system-releases
(earlier binary hosting)## Analysis
Binary Structure: Node.js SEA as an Evasion Vector
The binary is an 81 MB stripped ELF 64-bit x86-64 executable, dynamically linked against libdl
, libstdc++
, libm
, libgcc_s
, libpthread
, and libc
. Despite looking like a native Linux binary to file type checks, it is a Node.js Single Executable Application (SEA) built on Node.js v20.18.2. The SEA format bundles the full V8 engine, Node.js runtime, OpenSSL, and the malicious JavaScript into a single distributable binary.
This packaging strategy gives the attacker several advantages: the payload runs without requiring Node.js on the victim machine, the JavaScript source is embedded within megabytes of V8 runtime strings making static analysis harder, and the binary presents as a native executable to endpoint monitoring tools rather than a suspicious node
process. The process.title
is set to MicrosoftSystem64
, so process listings show a plausible-looking Microsoft service name.
Configuration and Encryption
The embedded JavaScript is bundled from dist/config.js
and uses a simple XOR cipher to obfuscate hardcoded configuration values. The decryption function and key are present in cleartext:
The configuration block stores XOR-encrypted values alongside cleartext comments that reveal the plaintext, making deobfuscation trivial:
The decoded configuration establishes: the C2 WebSocket endpoint at ws://195[.]201[.]194[.]107:8010
, a heartbeat interval of 15 seconds, a HuggingFace model repository at jpeek998/system-releases
for binary updates, and a HuggingFace API token for authenticated dataset uploads. The attacker left the plaintext in comments during development and never cleaned them from the production build.
C2 Communication Architecture
The agent connects to the C2 server over WebSocket with automatic reconnection using exponential backoff (1 second minimum, 10 second maximum, 500 ms jitter). On connection, it sends a heartbeat message containing a unique agentId
derived from the victim’s platform, username, and machine identifier:
The heartbeat fires every 15 seconds (configured via HB
). On reconnection, the agent resumes any pending uploads that failed during previous sessions, providing resilience against network disruptions.
Command and Control: 24 Remote Tasks
The binary accepts 24 distinct task types from the C2 operator, making it a full remote access trojan:
| Task type | Capability |
|---|---|
scan_wallets |
Enumerate and exfiltrate all crypto wallet browser extensions and standalone wallet apps |
scan_files |
Scan filesystem for files matching attacker-specified patterns |
send_tdata |
Compress and upload Telegram Desktop session data |
download_ssh |
Exfiltrate SSH keys directory |
exec_command |
Execute arbitrary shell commands (PowerShell on Windows, /bin/sh on Unix) |
list_dir |
Directory listing |
list_drives |
Enumerate mounted drives/volumes |
get_system_info |
Collect OS, CPU, RAM, network, and user details |
get_folder_size / get_multi_folder_size / get_multi_item_size |
Reconnaissance of file sizes |
start_input_capture / stop_input_capture / get_input_events |
Cross-platform keylogger with clipboard capture |
start_screenshot_stream / stop_screenshot_stream / set_screenshot_stream_quality |
Real-time screenshot streaming to C2 |
start_screenshot_hf_upload / stop_screenshot_hf_upload / capture_screenshot_hf |
Periodic screenshot upload to HuggingFace (60 second intervals) |
clipboard_get / clipboard_set / get_clipboard |
Read and write system clipboard |
upload_folder_hf / upload_batch_hf |
Upload arbitrary directories to HuggingFace datasets |
The exec_command
handler is a full remote shell. On Windows it spawns powershell.exe -NoProfile -NonInteractive -Command
, on Linux/macOS it uses /bin/sh -c
. It supports configurable timeouts (default 60 seconds), working directory, and shell toggle:
Data Exfiltration via HuggingFace
The most distinctive feature of this payload is its abuse of HuggingFace as a data exfiltration backend, documented by JFrog Research. Rather than up stolen data directly to the C2 server (which would require significant bandwidth and storage infrastructure), the agent creates private HuggingFace datasets under the attacker’s account and commits stolen files using the HuggingFace Git LFS commit API:
Each victim’s data is organized into separate datasets named from the agentId
and the data type (e.g., scan_wallets
, scan_files
, ssh_keys
). The agent first ensures the dataset exists via the HuggingFace API, then uploads gzipped archives as commits. After each upload, it notifies the C2 server with metadata about the upload:
This architecture offloads storage to HuggingFace’s infrastructure, making the exfiltration harder to detect (HTTPS traffic to a legitimate ML platform) and cheaper for the attacker to operate. The C2 server only receives lightweight notification messages while HuggingFace stores the actual stolen data.
The current binary uses the HuggingFace account jpeek998
, a pivot from the earlier Lordplay
account used for binary hosting in the first dropper versions.
Browser Credential Theft
The _scanBrowserProfiles
function systematically targets 15 browser families across all three operating systems. On Windows it searches %LOCALAPPDATA%
and %APPDATA%
, on macOS ~/Library/Application Support
, and on Linux ~/.config
:
Windows targets: Chrome, Chrome Beta, Chrome Canary, Edge, Edge Beta, Brave, Opera, Opera GX, Vivaldi, Yandex, Chromium, CocCoc, CentBrowser, Firefox
macOS targets (same families plus): Safari
Linux targets: Same Chromium variants plus Firefox under ~/.mozilla
For each browser, the agent copies browser history files and scans for wallet extensions by matching extension directory IDs. The browser process is killed first to release database locks:
Crypto Wallet Extension Theft: 80+ Extensions
The binary contains a hardcoded mapping of over 80 Chromium browser extension IDs to wallet names. For each installed extension found in any browser profile, it copies both the extension code directory and its localStorage
data:
The complete list spans major chains: Ethereum (MetaMask, Rabby, Zerion, Rainbow), Solana (Phantom, Solflare, Backpack, Glow), Bitcoin (UniSat, Ordinals, Xverse), Cosmos (Keplr, Leap, Cosmostation), Aptos (Petra, Pontem, Martian), Sui (Ethos, Sui Wallet), Tezos (Temple), Polkadot (Polkadot.js, Talisman, SubWallet), Tron (TronLink), NEAR (Meteor, HERE), Stacks (Leather/Hiro), XRP (Crossmark), and multi-chain wallets (Trust, Coinbase, OKX, Exodus, Brave, Safe/Gnosis).
Each extension’s data is copied with a 100 MB per-file size cap and packed into a gzip archive for upload:
Telegram Session Hijacking
The handleSendTdata
function targets Telegram Desktop’s tdata
directory, which contains session keys that allow full account takeover without credentials. The path resolution is OS-aware:
The tdata
directory is compressed with gzip via packTdata()
and uploaded to HuggingFace with the victim’s OS, IP address, and username as metadata:
SSH Key Exfiltration
The download_ssh
task exfiltrates the entire ~/.ssh
directory, targeting:
Stolen SSH keys are packed and uploaded to a dedicated HuggingFace dataset named ssh_keys
:
Cross-Platform Keylogger
The keylogger is implemented natively for each platform using OS-level input capture APIs:
Windows: Uses a low-level keyboard hook via SetWindowsHookEx
(hook ID 13 = WH_KEYBOARD_LL
) with GetAsyncKeyState
for modifier detection. Compiled and injected as an inline C# snippet executed through PowerShell:
macOS: Uses Core Graphics CGEventTap
to create a session-level event tap that listens for keyDown
events:
Linux: Attempts xinput test-xi2 --root
first (X11 input extension), falling back to raw /dev/input
evdev reading with a 24-byte input_event
struct parser: The keylogger runs alongside a clipboard watcher that polls every second:
Screenshot Capture
The binary supports both on-demand and periodic screenshot capture across all platforms:
Windows: Uses PowerShell withSystem.Windows.Forms.Screen
andSystem.Drawing
for BitBlt-based screen capture, with a fast path fallbackmacOS: Uses the nativescreencapture -x -C -t png
commandLinux: Tries multiple screenshot tools:gnome-screenshot
,scrot
, or X11-based capture with display environment detection
Periodic screenshots upload to HuggingFace every 60 seconds when enabled:
Persistence Mechanisms
The binary establishes persistence on all three operating systems using the UNIT_STEM
value MicrosoftSystem64
:
Windows:
- Creates a scheduled task named
\MicrosoftSystem64
viaschtasks /create
- Sets a Run registry key under
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
macOS:
-
Creates a LaunchAgent plist at
~/Library/LaunchAgents/com.launchkeeper.MicrosoftSystem64.plist -
Loads via
launchctl bootstrap
Linux:
-
Creates a systemd user service at
~/.config/systemd/user/MicrosoftSystem64.service -
Enables via
systemctl --user enable
- Runs
loginctl enable-linger
for user-level persistence without login - Creates an XDG autostart desktop entry at
~/.config/autostart/MicrosoftSystem64.desktop
The install directory is ~/.local/share/MicrosoftSystem64
on Linux, with a .registered
marker file containing an ISO timestamp written on first execution.
Self-Update Mechanism
The binary checks for updates every 24 hours from the HuggingFace repository:
The update process fetches a version file from hxxps://huggingface[.]co/jpeek998/system-releases/resolve/main
using the embedded HuggingFace token, compares it against the current BINARY_VERSION
(“1.0.8”), and if a newer version is available, downloads the platform-specific binary and replaces the running executable. The current binary was built against version 1.0.7
in the config but reports as 1.0.8
, suggesting the version was bumped after the config was encoded.
Upload Resilience
The agent includes a persistent upload queue that survives crashes and restarts. Failed uploads are saved to disk and retried on the next successful C2 connection:
If the local archive file is missing on retry (e.g., cleaned by antivirus), the agent re-packs the folder from the original path before retrying.
## Attacker Infrastructure: Live Probe (2026-05-28)
We probed the attacker’s HuggingFace infrastructure on May 28, 2026. The findings confirm the exfiltration pipeline is actively operating with real victims.
Account Status
The attacker operates two HuggingFace accounts:
| Account | Created | Purpose | Status (May 28) |
|---|---|---|---|
Lordplay |
2025-11-24 | Binary hosting (system-releases repo) |
Account active, repo disabled by HuggingFace (file downloads return 401). 7 public “football pose detection” models used as cover. |
jpeek998 |
2026-05-15 | Data exfiltration (private datasets) | Fully active. Display name “Jlob”, no public repos. |
The Lordplay/system-releases
repo metadata is still readable. It lists all four platform binaries (MicrosoftSystem64-linux
at 85 MB, -win.exe
at 67 MB, `-darwin-x64`
at 87 MB, `-darwin-arm64`
at 84 MB) and a version.txt
, last modified May 18. HuggingFace disabled file access but did not remove the repo or the account.
The jpeek998
account was created on May 15, 13 days after the Lordplay
repo was disabled, as a replacement exfiltration endpoint. The HuggingFace API token embedded in the binary (redacted; reported to HuggingFace for revocation) authenticated successfully as jpeek998
with read/write access to private datasets at the time of our probe.
Active Victim Data
Using the embedded token, we enumerated three private datasets under jpeek998
containing exfiltrated data from two active victims:
| Dataset | Victim | Type | Files | Time range (UTC) | Size |
|---|---|---|---|---|---|
jpeek998/linux_ubuntu_f083ccb52684 |
Linux (Ubuntu) | Screenshots (base64 PNG in JSON) | 323 | May 27 23:51 to May 28 05:14 | ~167 MB |
jpeek998/win_wulin_e8bc41d9aca8 |
Windows (user wulin ) |
Screenshots (base64 PNG in JSON) | 94 | May 28 03:41 to May 28 05:14 | ~16 MB |
jpeek998/win_wulin_e8bc41d9aca8_scan_files |
Windows (user wulin ) |
Stolen credential files (gzip) | 1 | May 28 03:43 | 500 MB |
The screenshots are captured every 60 seconds and uploaded as JSON files containing a screenshot
key with base64-encoded PNG data. We downloaded and decoded all 417 screenshots from both datasets. The following images are actual exfiltrated screenshots recovered from the attacker’s HuggingFace datasets, shown here as evidence of the active surveillance operation.
The Linux victim’s desktop shows a crypto trading terminal (MT5 connected to Binance EUR/BTC), Python scripts, and Polymarket bot notifications:
The Windows victim’s desktop shows ChatGPT, a JoinQuant algorithmic trading platform, and VS Code with multiple browser tabs open to cryptocurrency exchanges:
A later capture of the same Windows victim shows them browsing JoinQuant’s strategy backtesting interface with active trading algorithms:
Both victims are cryptocurrency traders, which aligns with the payload’s focus on stealing wallet extensions and browser credentials. The attacker is watching their screens in near real-time while simultaneously exfiltrating their credential databases.
Stolen Data Contents
The 500 MB credential archive from the Windows victim (wulin
) uses a custom binary packing format (not standard tar/zip). String extraction reveals 1,097 credential files stolen from the machine, organized by a numeric index with sanitized path names.
**Data stolen from user wulin (C: drive):**
- SSH keys:
id_rsa
,id_rsa.pub
,known_hosts
,known_hosts.old
- Chrome Login Data, Cookies, Web Data, History, Bookmarks (Default and Profile 2)
- Edge Login Data, Cookies, Web Data, History
- Chrome and Edge
Local State
files (contain DPAPI-encrypted master keys) - Claude Desktop app data (
Claude-3p/Local State
, Crashpad settings) - NVIDIA app embedded browser credentials
- Various Electron app credential stores
Data stolen from user Nicolas (D: drive, second user profile or mapped drive):
- WeChat (
xwechat
) session data, history, and web data across multiple profiles - HuaYoungBrowser (anti-detect browser) Login Data, Cookies, and History from multiple shop profiles (shop IDs
327099334275079
,331362951237637
,335250269933673
,335269886693379
,339596858634247
) - Remote Desktop connection files (
.rdp
) - Todoist app credentials
- Telegram data
The presence of HuaYoungBrowser shop profiles suggests the victim may be running an e-commerce operation with multiple store accounts. The stealer harvested credentials from every Chromium-based application on both user profiles across two drives.
Dataset Naming Convention
The agent constructs dataset names from the victim’s agentId (derived from platform_username_machineId
) and the scan type:
Each dataset is created as a private HuggingFace dataset via POST hxxps://huggingface[.]co/api/repos/create
. Files are uploaded as Git LFS commits using NDJSON-formatted commit operations. After each upload, the agent notifies the C2 at hxxp://195[.]201[.]194[.]107:8010/api/validate/hf-upload-complete
with upload metadata so the operator knows which dataset to pull.
Attribution: The toskypi #
/ jpeek*
Cluster
Cross-referencing the attacker identifiers embedded in this binary with public threat intelligence reveals a broader campaign spanning multiple npm packages, HuggingFace accounts, and at least three months of activity.
Identity Cluster
The SSH key comment bink@DESKTOP-N8JGD6T
leaked in `js-logger-pack`
v1.1.5 is the strongest forensic anchor. [JFrog Research](https://research.jfrog.com/post/hugging-face-exfil/) traced this to a GitHub identity `ptc-bink`
and a web persona whisdev
, with copilot-ai.whisdev.org
serving as a secondary hostname on the same C2 IP (195[.]201[.]194[.]107
). The npm publisher account jpeek868
) declared [email protected]toskypi
as the package author, a name that appears independently in kmsec.uk’s Contagious Trader campaign report under the email
.[email protected]
The jpeek
namespace rotates numerically: jpeek868
, jpeek886
, jpeek895
are all linked npm accounts sharing the same Lordplay/system-releases
HuggingFace infrastructure for binary staging. Additional associated npm accounts include pvnd3540749
and yggedd817513
.
| Alias | Platform | Role |
|---|---|---|
jpeek868 / jpeek886 / jpeek895 |
npm | Package publishers (rotated after takedowns) |
toskypi ( ) |
npm author field | Persistent author identity across campaigns |
Lordplay |
HuggingFace | Binary staging (system-releases , disabled by HF) |
jpeek998 (“Jlob”) |
HuggingFace | Active exfiltration endpoint (created 2026-05-15) |
whisdev / ptcbink |
HuggingFace, GitHub | Linked persona, C2 hostname copilot-ai.whisdev.org |
bink@DESKTOP-N8JGD6T |
SSH key (leaked) | Attacker’s development machine |
snipmaxi |
Telegram | Linked handle |
Attributed Malicious Packages
The same actor or closely coordinated group published at least seven malicious npm packages:
| Package | Account | Date | Mechanism |
|---|---|---|---|
`polymarket-validator` | `toskypi` | Feb 2026 | Exfil to `sha256-validate-rpc.vercel[.]app` |
changelog-logger-utilities | toskypi | Mar 15, 2026 | Exfil to changelog[.]rest |
js-logger-pack | jpeek868 / toskypi | Apr 1-20, 2026 | WebSocket stealer, then HF binary dropper |
terminal-logger-utils | jpeek895 cluster | May 20-21, 2026 | RC4/XOR obfuscated MicrosoftSystem64 dropper |
ts-logger-pack | linked | Apr 1 / May 20, 2026 | Dependency proxy to terminal-logger-utils |
pretty-logger-utils | jpeek895 cluster | May 2026 | Same dropper infrastructure |
pinno-loggers | jpeek895 cluster | May 2026 | Same dropper infrastructure |
The February and March packages (polymarket-validator
, `changelog-logger-utilities`
) belong to the [Contagious Trader campaign](https://kmsec.uk/blog/contagious-trader/) targeting cryptocurrency trading bot developers. The April pivot to `js-logger-pack`
introduced the HuggingFace exfiltration channel. After npm took down js-logger-pack
on April 22, the May packages (terminal-logger-utils
and its dependents) continued distributing MicrosoftSystem64
under fresh accounts, demonstrating rapid account rotation and operational resilience.
Campaign Lineage
kmsec.uk and OX Security independently attribute this cluster to FAMOUS CHOLLIMA (also tracked as Contagious Interview), a DPRK-linked threat actor group known for targeting developers through poisoned npm packages, fake job interviews, and trojanized trading tools. The toskypi
identity appears alongside approximately 20 other npm accounts in the Contagious Trader report, and kmsec.uk linked jpeek895
to the earlier BigSquatRat campaign (bigmathix
, bigmathutils
, axios-net
) from January 2026.
The operational pattern is consistent: purpose-built throwaway npm accounts, cryptocurrency/developer tooling as lures, credential theft with a focus on crypto wallets, and infrastructure pivoting after disclosure. What distinguishes this particular iteration is the adoption of HuggingFace as both a binary CDN and exfiltration backend, a technique that makes network-level detection significantly harder since all traffic appears as authenticated HTTPS requests to a legitimate ML platform.
Conclusion #
MicrosoftSystem64
is a well-engineered, multi-platform RAT that leverages HuggingFace as both a binary distribution CDN and a data exfiltration backend. The abuse of a legitimate ML platform for command-and-control infrastructure makes network-level detection challenging: all exfiltration traffic appears as authenticated HTTPS requests to huggingface.co
. The 24-task C2 protocol, cross-platform keylogger, 80+ wallet extension targets, and persistent self-update loop make this a comprehensive credential theft platform operating in the open source supply chain.
Our live probe of the attacker’s infrastructure on May 28, 2026 confirmed this is not a theoretical threat: the exfiltration pipeline was actively operating, the embedded HuggingFace token was still valid, and real victims were being surveilled with screenshots captured every 60 seconds and hundreds of credential files exfiltrated. The attacker has already pivoted accounts once (from Lordplay
to jpeek998
) after the first repo was disabled, demonstrating operational resilience.
Organizations that installed js-logger-pack
, `terminal-logger-utils`
, `ts-logger-pack`
, `pretty-logger-utils`
, pinno-loggers
, or any other package from the jpeek*
/toskypi
cluster should treat it as a full compromise: rotate all credentials, SSH keys, API tokens, and crypto wallet seed phrases on affected machines. The actor’s pattern of rapid account rotation after takedowns means new package names distributing the same MicrosoftSystem64
binary should be expected.
To detect this payload in your dependency tree before it executes, scan your projects with vet.
References #
JFrog Research: Data Exfiltration via Hugging FaceSafeDep: Malicious npm Package js-logger-pack Ships a Multi-Platform WebSocket StealerOX Security: North Korean-Linked Threat Actor Targets Developers with New npm Infostealer RATkmsec.uk: Contagious Trader Campaignkmsec.uk: BigSquatRat Campaign (bigmathix)kmsec.uk: DPRK npm Research FeedNode.js Single Executable Applications documentation
- vet
- malware
- npm
- supply-chain
- stealer
- crypto
- huggingface
- rat
Author
SafeDep Team
safedep.io
Share
The Latest from SafeDep blogs #
Follow for the latest updates and insights on open source security & engineering
141 npm Packages Abuse Registry as Adware Hosting npm account terminal3airport published 141 packages containing a web proxy unblocker disguised as tutoring websites. The packages load popunder ads, external monetization scripts, and Google...
Megalodon: Mass GitHub Repo Backdooring via CI Workflows Over 5,700 malicious commits were pushed to GitHub repositories on May 18, 2026, replacing GitHub Actions workflows with base64-encoded secret exfiltration payloads. The "megalodon" campaign targeted...
forge-jsxy: 22 Versions of an Actively Developed npm RAT forge-jsxy picked up where the taken-down forge-jsx left off, publishing 22 versions over 22 days. Each release added new capabilities: crypto wallet scanning, Chromium extension theft, WebRTC data...
Polymarket npm Packages Steal Crypto Wallet Keys Nine coordinated npm packages target Polymarket traders with a social-engineered postinstall prompt that exfiltrates raw private keys to a Cloudflare Worker. The attacker published all packages...
Ship Code. #
Not Malware. #
Start free with open source tools on your machine. Scale to a unified platform for your organization.