{"slug": "inside-microsoftsystem64-a-supply-chain-rat-exfiltrating-to-huggingface", "title": "Inside MicrosoftSystem64: A Supply Chain RAT Exfiltrating to HuggingFace", "summary": "A malicious npm package called `js-logger-pack` evolved through 29 versions on the registry from April 2026 into a full remote access trojan that deploys an 81 MB binary named `MicrosoftSystem64` on Windows, macOS, and Linux systems. The malware exfiltrates stolen credentials, cryptocurrency wallet data, Telegram sessions, SSH keys, and clipboard contents to attacker-controlled HuggingFace datasets, while maintaining active command-and-control connections and self-updating capabilities. The threat remained fully active as of May 28, with the embedded HuggingFace token still valid and real victims under active surveillance, despite public disclosures by SafeDep and JFrog Research.", "body_md": "# Inside MicrosoftSystem64: A Supply Chain RAT Exfiltrating to HuggingFace\n\n### Table of Contents\n\n## TL;DR\n\nIn early April 2026, a malicious npm package called `js-logger-pack`\n\nbegan evolving through 29 versions on the registry, progressing from a harmless probe into a full WebSocket stealer and eventually a binary dropper. [SafeDep’s analysis](/malicious-js-logger-pack-npm-stealer) on April 15 first documented this evolution and identified its second-stage payload: a binary called `MicrosoftSystem64`\n\n. A week later, [JFrog Research](https://research.jfrog.com/post/hugging-face-exfil/) independently reported the same campaign, highlighting its novel abuse of HuggingFace as a data exfiltration channel. Despite both disclosures, the threat remains fully active over six weeks later: our live infrastructure probe on May 28 confirmed the embedded HuggingFace token was still valid, the C2 server was accepting connections, and real victims were under active surveillance. The token has since been reported to HuggingFace for revocation.\n\n`MicrosoftSystem64`\n\nitself is an 81 MB stripped ELF binary (with Windows and macOS variants) that packages a full-featured info-stealer and remote access trojan (RAT) inside a Node.js v20.18.2 Single Executable Application (SEA). It connects to a WebSocket C2 at `195[.]201[.]194[.]107:8010`\n\n, accepts 24 distinct remote commands, and exfiltrates stolen data to attacker-controlled HuggingFace datasets. It self-updates from a HuggingFace model repository, establishes persistence on all three major operating systems, and targets over 80 cryptocurrency wallet browser extensions, every Chromium and Firefox browser variant, Telegram Desktop sessions, SSH keys, and the system clipboard. It includes a cross-platform keylogger using native OS APIs (Windows `SetWindowsHookEx`\n\n, macOS `CGEventTap`\n\n, Linux `xinput`\n\n/`evdev`\n\n) and captures periodic screenshots uploaded to HuggingFace. This post provides a deep binary-level analysis of the payload’s full capabilities. The current analyzed version is 1.0.8.\n\n**Impact:**\n\n- Exfiltration of credentials from 15 browser families (Chrome, Edge, Brave, Firefox, Opera, Vivaldi, Safari, Yandex, Chromium, CocCoc, CentBrowser, Opera GX, Chrome Beta, Chrome Canary, Edge Beta).\n- Theft of 80+ cryptocurrency wallet browser extension data including local storage, extension code, and wallet files.\n- Telegram Desktop session hijacking via\n`tdata`\n\nfolder compression and upload. - SSH key exfiltration (\n`id_rsa`\n\n,`id_ed25519`\n\n,`id_ecdsa`\n\n,`known_hosts`\n\n,`authorized_keys`\n\n). - Cross-platform keylogger with clipboard monitoring (1 second polling interval).\n- Periodic screenshot capture and upload to HuggingFace (60 second interval).\n- Remote command execution with shell access on all platforms.\n- Self-updating binary with 24-hour check interval from HuggingFace.\n- Persistence via Windows Scheduled Tasks, macOS LaunchAgents, Linux systemd user units and XDG autostart.\n\n**Indicators of Compromise (IoC):**\n\n| Indicator | Value |\n|---|---|\n| Binary name | `MicrosoftSystem64` (Linux), `MicrosoftSystem64.exe` (Windows), `MicrosoftSystem64-darwin-x64` / `MicrosoftSystem64-darwin-arm64` (macOS) |\n| SHA-256 (Linux ELF) | `b2954c945b51dbd6fa88ac72338b7fbf76dec7d9909ceada9d36b21330842c97` |\n| File size | 85,134,080 bytes (81 MB) |\n| Binary version | `1.0.8` |\n| Node.js version | v20.18.2 (statically linked SEA) |\n| C2 server | `195[.]201[.]194[.]107:8010` (WebSocket + HTTP), Hetzner Online GmbH, DE, AS24940 |\n| HuggingFace binary host | `hxxps://huggingface[.]co/jpeek998/system-releases/resolve/main` |\n| HuggingFace exfil account | `jpeek998` (encrypted in binary config) |\n| HuggingFace token (encrypted) | `MlohU84sIc82dTpY/CgE3jdOOWD1OwnyDXYRds4bG+cUeBRH7w==` |\n| XOR encryption key | `[90, 60, 126, 18, 159, 75, 109, 138]` |\n| Persistence unit name | `MicrosoftSystem64` (systemd service, LaunchAgent label `com.launchkeeper.MicrosoftSystem64` , Windows scheduled task) |\n| Install directory | `~/.local/share/MicrosoftSystem64` (Linux), `~/Library/Application Support/MicrosoftSystem64` (macOS), `%LOCALAPPDATA%\\MicrosoftSystem64` (Windows) |\n| Registration marker | `.registered` file with ISO timestamp in install directory |\n| Related npm package |\n`js-logger-pack` |\n\n`Lordplay/system-releases`\n\n(earlier binary hosting)## Analysis\n\n### Binary Structure: Node.js SEA as an Evasion Vector\n\nThe binary is an 81 MB stripped ELF 64-bit x86-64 executable, dynamically linked against `libdl`\n\n, `libstdc++`\n\n, `libm`\n\n, `libgcc_s`\n\n, `libpthread`\n\n, and `libc`\n\n. Despite looking like a native Linux binary to file type checks, it is a [Node.js Single Executable Application](https://nodejs.org/api/single-executable-applications.html) (SEA) built on Node.js v20.18.2. The SEA format bundles the full V8 engine, Node.js runtime, OpenSSL, and the malicious JavaScript into a single distributable binary.\n\nThis packaging strategy gives the attacker several advantages: the payload runs without requiring Node.js on the victim machine, the JavaScript source is embedded within megabytes of V8 runtime strings making static analysis harder, and the binary presents as a native executable to endpoint monitoring tools rather than a suspicious `node`\n\nprocess. The `process.title`\n\nis set to `MicrosoftSystem64`\n\n, so process listings show a plausible-looking Microsoft service name.\n\n### Configuration and Encryption\n\nThe embedded JavaScript is bundled from `dist/config.js`\n\nand uses a simple XOR cipher to obfuscate hardcoded configuration values. The decryption function and key are present in cleartext:\n\nThe configuration block stores XOR-encrypted values alongside cleartext comments that reveal the plaintext, making deobfuscation trivial:\n\nThe decoded configuration establishes: the C2 WebSocket endpoint at `ws://195[.]201[.]194[.]107:8010`\n\n, a heartbeat interval of 15 seconds, a HuggingFace model repository at `jpeek998/system-releases`\n\nfor binary updates, and a HuggingFace API token for authenticated dataset uploads. The attacker left the plaintext in comments during development and never cleaned them from the production build.\n\n### C2 Communication Architecture\n\nThe agent connects to the C2 server over WebSocket with automatic reconnection using exponential backoff (1 second minimum, 10 second maximum, 500 ms jitter). On connection, it sends a heartbeat message containing a unique `agentId`\n\nderived from the victim’s platform, username, and machine identifier:\n\nThe heartbeat fires every 15 seconds (configured via `HB`\n\n). On reconnection, the agent resumes any pending uploads that failed during previous sessions, providing resilience against network disruptions.\n\n### Command and Control: 24 Remote Tasks\n\nThe binary accepts 24 distinct task types from the C2 operator, making it a full remote access trojan:\n\n| Task type | Capability |\n|---|---|\n`scan_wallets` | Enumerate and exfiltrate all crypto wallet browser extensions and standalone wallet apps |\n`scan_files` | Scan filesystem for files matching attacker-specified patterns |\n`send_tdata` | Compress and upload Telegram Desktop session data |\n`download_ssh` | Exfiltrate SSH keys directory |\n`exec_command` | Execute arbitrary shell commands (PowerShell on Windows, `/bin/sh` on Unix) |\n`list_dir` | Directory listing |\n`list_drives` | Enumerate mounted drives/volumes |\n`get_system_info` | Collect OS, CPU, RAM, network, and user details |\n`get_folder_size` / `get_multi_folder_size` / `get_multi_item_size` | Reconnaissance of file sizes |\n`start_input_capture` / `stop_input_capture` / `get_input_events` | Cross-platform keylogger with clipboard capture |\n`start_screenshot_stream` / `stop_screenshot_stream` / `set_screenshot_stream_quality` | Real-time screenshot streaming to C2 |\n`start_screenshot_hf_upload` / `stop_screenshot_hf_upload` / `capture_screenshot_hf` | Periodic screenshot upload to HuggingFace (60 second intervals) |\n`clipboard_get` / `clipboard_set` / `get_clipboard` | Read and write system clipboard |\n`upload_folder_hf` / `upload_batch_hf` | Upload arbitrary directories to HuggingFace datasets |\n\nThe `exec_command`\n\nhandler is a full remote shell. On Windows it spawns `powershell.exe -NoProfile -NonInteractive -Command`\n\n, on Linux/macOS it uses `/bin/sh -c`\n\n. It supports configurable timeouts (default 60 seconds), working directory, and shell toggle:\n\n### Data Exfiltration via HuggingFace\n\nThe most distinctive feature of this payload is its abuse of HuggingFace as a data exfiltration backend, [documented by JFrog Research](https://research.jfrog.com/post/hugging-face-exfil/). Rather than uploading stolen data directly to the C2 server (which would require significant bandwidth and storage infrastructure), the agent creates private HuggingFace datasets under the attacker’s account and commits stolen files using the HuggingFace Git LFS commit API:\n\nEach victim’s data is organized into separate datasets named from the `agentId`\n\nand the data type (e.g., `scan_wallets`\n\n, `scan_files`\n\n, `ssh_keys`\n\n). The agent first ensures the dataset exists via the HuggingFace API, then uploads gzipped archives as commits. After each upload, it notifies the C2 server with metadata about the upload:\n\nThis architecture offloads storage to HuggingFace’s infrastructure, making the exfiltration harder to detect (HTTPS traffic to a legitimate ML platform) and cheaper for the attacker to operate. The C2 server only receives lightweight notification messages while HuggingFace stores the actual stolen data.\n\nThe current binary uses the HuggingFace account `jpeek998`\n\n, a pivot from the earlier `Lordplay`\n\naccount used for binary hosting in the first dropper versions.\n\n### Browser Credential Theft\n\nThe `_scanBrowserProfiles`\n\nfunction systematically targets 15 browser families across all three operating systems. On Windows it searches `%LOCALAPPDATA%`\n\nand `%APPDATA%`\n\n, on macOS `~/Library/Application Support`\n\n, and on Linux `~/.config`\n\n:\n\n**Windows targets:** Chrome, Chrome Beta, Chrome Canary, Edge, Edge Beta, Brave, Opera, Opera GX, Vivaldi, Yandex, Chromium, CocCoc, CentBrowser, Firefox\n\n**macOS targets (same families plus):** Safari\n\n**Linux targets:** Same Chromium variants plus Firefox under `~/.mozilla`\n\nFor each browser, the agent copies browser history files and scans for wallet extensions by matching extension directory IDs. The browser process is killed first to release database locks:\n\n### Crypto Wallet Extension Theft: 80+ Extensions\n\nThe binary contains a hardcoded mapping of over 80 Chromium browser extension IDs to wallet names. For each installed extension found in any browser profile, it copies both the extension code directory and its `localStorage`\n\ndata:\n\nThe complete list spans major chains: Ethereum (MetaMask, Rabby, Zerion, Rainbow), Solana (Phantom, Solflare, Backpack, Glow), Bitcoin (UniSat, Ordinals, Xverse), Cosmos (Keplr, Leap, Cosmostation), Aptos (Petra, Pontem, Martian), Sui (Ethos, Sui Wallet), Tezos (Temple), Polkadot (Polkadot.js, Talisman, SubWallet), Tron (TronLink), NEAR (Meteor, HERE), Stacks (Leather/Hiro), XRP (Crossmark), and multi-chain wallets (Trust, Coinbase, OKX, Exodus, Brave, Safe/Gnosis).\n\nEach extension’s data is copied with a 100 MB per-file size cap and packed into a gzip archive for upload:\n\n### Telegram Session Hijacking\n\nThe `handleSendTdata`\n\nfunction targets Telegram Desktop’s `tdata`\n\ndirectory, which contains session keys that allow full account takeover without credentials. The path resolution is OS-aware:\n\nThe `tdata`\n\ndirectory is compressed with gzip via `packTdata()`\n\nand uploaded to HuggingFace with the victim’s OS, IP address, and username as metadata:\n\n### SSH Key Exfiltration\n\nThe `download_ssh`\n\ntask exfiltrates the entire `~/.ssh`\n\ndirectory, targeting:\n\nStolen SSH keys are packed and uploaded to a dedicated HuggingFace dataset named `ssh_keys`\n\n:\n\n### Cross-Platform Keylogger\n\nThe keylogger is implemented natively for each platform using OS-level input capture APIs:\n\n**Windows:** Uses a low-level keyboard hook via `SetWindowsHookEx`\n\n(hook ID 13 = `WH_KEYBOARD_LL`\n\n) with `GetAsyncKeyState`\n\nfor modifier detection. Compiled and injected as an inline C# snippet executed through PowerShell:\n\n**macOS:** Uses Core Graphics `CGEventTap`\n\nto create a session-level event tap that listens for `keyDown`\n\nevents:\n\n**Linux:** Attempts `xinput test-xi2 --root`\n\nfirst (X11 input extension), falling back to raw `/dev/input`\n\nevdev reading with a 24-byte `input_event`\n\nstruct parser:\n\nThe keylogger runs alongside a clipboard watcher that polls every second:\n\n### Screenshot Capture\n\nThe binary supports both on-demand and periodic screenshot capture across all platforms:\n\n**Windows:** Uses PowerShell with`System.Windows.Forms.Screen`\n\nand`System.Drawing`\n\nfor BitBlt-based screen capture, with a fast path fallback**macOS:** Uses the native`screencapture -x -C -t png`\n\ncommand**Linux:** Tries multiple screenshot tools:`gnome-screenshot`\n\n,`scrot`\n\n, or X11-based capture with display environment detection\n\nPeriodic screenshots upload to HuggingFace every 60 seconds when enabled:\n\n### Persistence Mechanisms\n\nThe binary establishes persistence on all three operating systems using the `UNIT_STEM`\n\nvalue `MicrosoftSystem64`\n\n:\n\n**Windows:**\n\n- Creates a scheduled task named\n`\\MicrosoftSystem64`\n\nvia`schtasks /create`\n\n- Sets a Run registry key under\n`HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run`\n\n**macOS:**\n\n- Creates a LaunchAgent plist at\n`~/Library/LaunchAgents/com.launchkeeper.MicrosoftSystem64.plist`\n\n- Loads via\n`launchctl bootstrap`\n\n**Linux:**\n\n- Creates a systemd user service at\n`~/.config/systemd/user/MicrosoftSystem64.service`\n\n- Enables via\n`systemctl --user enable`\n\n- Runs\n`loginctl enable-linger`\n\nfor user-level persistence without login - Creates an XDG autostart desktop entry at\n`~/.config/autostart/MicrosoftSystem64.desktop`\n\nThe install directory is `~/.local/share/MicrosoftSystem64`\n\non Linux, with a `.registered`\n\nmarker file containing an ISO timestamp written on first execution.\n\n### Self-Update Mechanism\n\nThe binary checks for updates every 24 hours from the HuggingFace repository:\n\nThe update process fetches a version file from `hxxps://huggingface[.]co/jpeek998/system-releases/resolve/main`\n\nusing the embedded HuggingFace token, compares it against the current `BINARY_VERSION`\n\n(“1.0.8”), and if a newer version is available, downloads the platform-specific binary and replaces the running executable. The current binary was built against version `1.0.7`\n\nin the config but reports as `1.0.8`\n\n, suggesting the version was bumped after the config was encoded.\n\n### Upload Resilience\n\nThe agent includes a persistent upload queue that survives crashes and restarts. Failed uploads are saved to disk and retried on the next successful C2 connection:\n\nIf the local archive file is missing on retry (e.g., cleaned by antivirus), the agent re-packs the folder from the original path before retrying.\n\n## Attacker Infrastructure: Live Probe (2026-05-28)\n\nWe probed the attacker’s HuggingFace infrastructure on May 28, 2026. The findings confirm the exfiltration pipeline is actively operating with real victims.\n\n### Account Status\n\nThe attacker operates two HuggingFace accounts:\n\n| Account | Created | Purpose | Status (May 28) |\n|---|---|---|---|\n`Lordplay` | 2025-11-24 | Binary hosting (`system-releases` repo) | Account active, repo disabled by HuggingFace (file downloads return 401). 7 public “football pose detection” models used as cover. |\n`jpeek998` | 2026-05-15 | Data exfiltration (private datasets) | Fully active. Display name “Jlob”, no public repos. |\n\nThe `Lordplay/system-releases`\n\nrepo metadata is still readable. It lists all four platform binaries (`MicrosoftSystem64-linux`\n\nat 85 MB, `-win.exe`\n\nat 67 MB, `-darwin-x64`\n\nat 87 MB, `-darwin-arm64`\n\nat 84 MB) and a `version.txt`\n\n, last modified May 18. HuggingFace disabled file access but did not remove the repo or the account.\n\nThe `jpeek998`\n\naccount was created on May 15, 13 days after the `Lordplay`\n\nrepo was disabled, as a replacement exfiltration endpoint. The HuggingFace API token embedded in the binary (redacted; reported to HuggingFace for revocation) authenticated successfully as `jpeek998`\n\nwith read/write access to private datasets at the time of our probe.\n\n### Active Victim Data\n\nUsing the embedded token, we enumerated three private datasets under `jpeek998`\n\ncontaining exfiltrated data from two active victims:\n\n| Dataset | Victim | Type | Files | Time range (UTC) | Size |\n|---|---|---|---|---|---|\n`jpeek998/linux_ubuntu_f083ccb52684` | Linux (Ubuntu) | Screenshots (base64 PNG in JSON) | 323 | May 27 23:51 to May 28 05:14 | ~167 MB |\n`jpeek998/win_wulin_e8bc41d9aca8` | Windows (user `wulin` ) | Screenshots (base64 PNG in JSON) | 94 | May 28 03:41 to May 28 05:14 | ~16 MB |\n`jpeek998/win_wulin_e8bc41d9aca8_scan_files` | Windows (user `wulin` ) | Stolen credential files (gzip) | 1 | May 28 03:43 | 500 MB |\n\nThe screenshots are captured every 60 seconds and uploaded as JSON files containing a `screenshot`\n\nkey with base64-encoded PNG data. We downloaded and decoded all 417 screenshots from both datasets. The following images are actual exfiltrated screenshots recovered from the attacker’s HuggingFace datasets, shown here as evidence of the active surveillance operation.\n\nThe Linux victim’s desktop shows a crypto trading terminal (MT5 connected to Binance EUR/BTC), Python scripts, and Polymarket bot notifications:\n\nThe Windows victim’s desktop shows ChatGPT, a JoinQuant algorithmic trading platform, and VS Code with multiple browser tabs open to cryptocurrency exchanges:\n\nA later capture of the same Windows victim shows them browsing JoinQuant’s strategy backtesting interface with active trading algorithms:\n\nBoth victims are cryptocurrency traders, which aligns with the payload’s focus on stealing wallet extensions and browser credentials. The attacker is watching their screens in near real-time while simultaneously exfiltrating their credential databases.\n\n### Stolen Data Contents\n\nThe 500 MB credential archive from the Windows victim (`wulin`\n\n) uses a custom binary packing format (not standard tar/zip). String extraction reveals **1,097 credential files** stolen from the machine, organized by a numeric index with sanitized path names.\n\n**Data stolen from user wulin (C: drive):**\n\n- SSH keys:\n`id_rsa`\n\n,`id_rsa.pub`\n\n,`known_hosts`\n\n,`known_hosts.old`\n\n- Chrome Login Data, Cookies, Web Data, History, Bookmarks (Default and Profile 2)\n- Edge Login Data, Cookies, Web Data, History\n- Chrome and Edge\n`Local State`\n\nfiles (contain DPAPI-encrypted master keys) - Claude Desktop app data (\n`Claude-3p/Local State`\n\n, Crashpad settings) - NVIDIA app embedded browser credentials\n- Various Electron app credential stores\n\n**Data stolen from user Nicolas (D: drive, second user profile or mapped drive):**\n\n- WeChat (\n`xwechat`\n\n) session data, history, and web data across multiple profiles - HuaYoungBrowser (anti-detect browser) Login Data, Cookies, and History from multiple shop profiles (shop IDs\n`327099334275079`\n\n,`331362951237637`\n\n,`335250269933673`\n\n,`335269886693379`\n\n,`339596858634247`\n\n) - Remote Desktop connection files (\n`.rdp`\n\n) - Todoist app credentials\n- Telegram data\n\nThe presence of HuaYoungBrowser shop profiles suggests the victim may be running an e-commerce operation with multiple store accounts. The stealer harvested credentials from every Chromium-based application on both user profiles across two drives.\n\n### Dataset Naming Convention\n\nThe agent constructs dataset names from the victim’s agentId (derived from `platform_username_machineId`\n\n) and the scan type:\n\nEach dataset is created as a private HuggingFace dataset via `POST hxxps://huggingface[.]co/api/repos/create`\n\n. Files are uploaded as Git LFS commits using NDJSON-formatted commit operations. After each upload, the agent notifies the C2 at `hxxp://195[.]201[.]194[.]107:8010/api/validate/hf-upload-complete`\n\nwith upload metadata so the operator knows which dataset to pull.\n\n## Attribution: The `toskypi`\n\n/ `jpeek*`\n\nCluster\n\nCross-referencing the attacker identifiers embedded in this binary with public threat intelligence reveals a broader campaign spanning multiple npm packages, HuggingFace accounts, and at least three months of activity.\n\n### Identity Cluster\n\nThe SSH key comment `bink@DESKTOP-N8JGD6T`\n\nleaked in `js-logger-pack`\n\nv1.1.5 is the strongest forensic anchor. [JFrog Research](https://research.jfrog.com/post/hugging-face-exfil/) traced this to a GitHub identity `ptc-bink`\n\nand a web persona `whisdev`\n\n, with `copilot-ai.whisdev.org`\n\nserving as a secondary hostname on the same C2 IP (`195[.]201[.]194[.]107`\n\n). The npm publisher account `jpeek868`\n\n(email\n\n) declared [[email protected]](/cdn-cgi/l/email-protection)`toskypi`\n\nas the package author, a name that appears independently in [kmsec.uk’s Contagious Trader campaign report](https://kmsec.uk/blog/contagious-trader/) under the email\n\n.[[email protected]](/cdn-cgi/l/email-protection)\n\nThe `jpeek`\n\nnamespace rotates numerically: `jpeek868`\n\n, `jpeek886`\n\n, `jpeek895`\n\nare all linked npm accounts sharing the same `Lordplay/system-releases`\n\nHuggingFace infrastructure for binary staging. Additional associated npm accounts include `pvnd3540749`\n\nand `yggedd817513`\n\n.\n\n| Alias | Platform | Role |\n|---|---|---|\n`jpeek868` / `jpeek886` / `jpeek895` | npm | Package publishers (rotated after takedowns) |\n`toskypi` ( ) | npm author field | Persistent author identity across campaigns |\n`Lordplay` | HuggingFace | Binary staging (`system-releases` , disabled by HF) |\n`jpeek998` (“Jlob”) | HuggingFace | Active exfiltration endpoint (created 2026-05-15) |\n`whisdev` / `ptcbink` | HuggingFace, GitHub | Linked persona, C2 hostname `copilot-ai.whisdev.org` |\n`bink@DESKTOP-N8JGD6T` | SSH key (leaked) | Attacker’s development machine |\n`snipmaxi` | Telegram | Linked handle |\n\n### Attributed Malicious Packages\n\nThe same actor or closely coordinated group published at least seven malicious npm packages:\n\n| Package | Account | Date | Mechanism |\n|---|---|---|---|\n`polymarket-validator` | `toskypi` | Feb 2026 | Exfil to `sha256-validate-rpc.vercel[.]app` |\n`changelog-logger-utilities` | `toskypi` | Mar 15, 2026 | Exfil to `changelog[.]rest` |\n`js-logger-pack` | `jpeek868` / `toskypi` | Apr 1-20, 2026 | WebSocket stealer, then HF binary dropper |\n`terminal-logger-utils` | `jpeek895` cluster | May 20-21, 2026 | RC4/XOR obfuscated MicrosoftSystem64 dropper |\n`ts-logger-pack` | linked | Apr 1 / May 20, 2026 | Dependency proxy to `terminal-logger-utils` |\n`pretty-logger-utils` | `jpeek895` cluster | May 2026 | Same dropper infrastructure |\n`pinno-loggers` | `jpeek895` cluster | May 2026 | Same dropper infrastructure |\n\nThe February and March packages (`polymarket-validator`\n\n, `changelog-logger-utilities`\n\n) belong to the [Contagious Trader campaign](https://kmsec.uk/blog/contagious-trader/) targeting cryptocurrency trading bot developers. The April pivot to `js-logger-pack`\n\nintroduced the HuggingFace exfiltration channel. After npm took down `js-logger-pack`\n\non April 22, the May packages (`terminal-logger-utils`\n\nand its dependents) continued distributing `MicrosoftSystem64`\n\nunder fresh accounts, demonstrating rapid account rotation and operational resilience.\n\n### Campaign Lineage\n\n[kmsec.uk](https://kmsec.uk/blog/contagious-trader/) and [OX Security](https://www.ox.security/blog/north-korean-npm-infostealer-rat/) independently attribute this cluster to **FAMOUS CHOLLIMA** (also tracked as Contagious Interview), a DPRK-linked threat actor group known for targeting developers through poisoned npm packages, fake job interviews, and trojanized trading tools. The `toskypi`\n\nidentity appears alongside approximately 20 other npm accounts in the Contagious Trader report, and kmsec.uk linked `jpeek895`\n\nto the earlier [BigSquatRat campaign](https://kmsec.uk/blog/js-malware-bigmathix/) (`bigmathix`\n\n, `bigmathutils`\n\n, `axios-net`\n\n) from January 2026.\n\nThe operational pattern is consistent: purpose-built throwaway npm accounts, cryptocurrency/developer tooling as lures, credential theft with a focus on crypto wallets, and infrastructure pivoting after disclosure. What distinguishes this particular iteration is the adoption of HuggingFace as both a binary CDN and exfiltration backend, a technique that makes network-level detection significantly harder since all traffic appears as authenticated HTTPS requests to a legitimate ML platform.\n\n## Conclusion\n\n`MicrosoftSystem64`\n\nis a well-engineered, multi-platform RAT that leverages HuggingFace as both a binary distribution CDN and a data exfiltration backend. The abuse of a legitimate ML platform for command-and-control infrastructure makes network-level detection challenging: all exfiltration traffic appears as authenticated HTTPS requests to `huggingface.co`\n\n. The 24-task C2 protocol, cross-platform keylogger, 80+ wallet extension targets, and persistent self-update loop make this a comprehensive credential theft platform operating in the open source supply chain.\n\nOur live probe of the attacker’s infrastructure on May 28, 2026 confirmed this is not a theoretical threat: the exfiltration pipeline was actively operating, the embedded HuggingFace token was still valid, and real victims were being surveilled with screenshots captured every 60 seconds and hundreds of credential files exfiltrated. The attacker has already pivoted accounts once (from `Lordplay`\n\nto `jpeek998`\n\n) after the first repo was disabled, demonstrating operational resilience.\n\nOrganizations that installed `js-logger-pack`\n\n, `terminal-logger-utils`\n\n, `ts-logger-pack`\n\n, `pretty-logger-utils`\n\n, `pinno-loggers`\n\n, or any other package from the `jpeek*`\n\n/`toskypi`\n\ncluster should treat it as a full compromise: rotate all credentials, SSH keys, API tokens, and crypto wallet seed phrases on affected machines. The actor’s pattern of rapid account rotation after takedowns means new package names distributing the same `MicrosoftSystem64`\n\nbinary should be expected.\n\nTo detect this payload in your dependency tree before it executes, scan your projects with [ vet](https://github.com/safedep/vet).\n\n## References\n\n[JFrog Research: Data Exfiltration via Hugging Face](https://research.jfrog.com/post/hugging-face-exfil/)[SafeDep: Malicious npm Package js-logger-pack Ships a Multi-Platform WebSocket Stealer](/malicious-js-logger-pack-npm-stealer)[OX Security: North Korean-Linked Threat Actor Targets Developers with New npm Infostealer RAT](https://www.ox.security/blog/north-korean-npm-infostealer-rat/)[kmsec.uk: Contagious Trader Campaign](https://kmsec.uk/blog/contagious-trader/)[kmsec.uk: BigSquatRat Campaign (bigmathix)](https://kmsec.uk/blog/js-malware-bigmathix/)[kmsec.uk: DPRK npm Research Feed](https://dprk-research.kmsec.uk/)[Node.js Single Executable Applications documentation](https://nodejs.org/api/single-executable-applications.html)\n\n- vet\n- malware\n- npm\n- supply-chain\n- stealer\n- crypto\n- huggingface\n- rat\n\n### Author\n\n#### SafeDep Team\n\nsafedep.io\n\n### Share\n\n## The Latest from SafeDep blogs\n\nFollow for the latest updates and insights on open source security & engineering\n\n[141 npm Packages Abuse Registry as Adware Hosting](/malicious-npm-terminal3airport-proxy-adware-spam)\n\nnpm account terminal3airport published 141 packages containing a web proxy unblocker disguised as tutoring websites. The packages load popunder ads, external monetization scripts, and Google...\n\n[Megalodon: Mass GitHub Repo Backdooring via CI Workflows](/megalodon-mass-github-repo-backdooring-ci-workflows)\n\nOver 5,700 malicious commits were pushed to GitHub repositories on May 18, 2026, replacing GitHub Actions workflows with base64-encoded secret exfiltration payloads. The \"megalodon\" campaign targeted...\n\n[forge-jsxy: 22 Versions of an Actively Developed npm RAT](/malicious-forge-jsxy-npm-rat-evolution)\n\nforge-jsxy picked up where the taken-down forge-jsx left off, publishing 22 versions over 22 days. Each release added new capabilities: crypto wallet scanning, Chromium extension theft, WebRTC data...\n\n[Polymarket npm Packages Steal Crypto Wallet Keys](/malicious-polymarket-npm-crypto-wallet-drainer)\n\nNine coordinated npm packages target Polymarket traders with a social-engineered postinstall prompt that exfiltrates raw private keys to a Cloudflare Worker. The attacker published all packages...\n\n## Ship Code.\n\n## Not Malware.\n\nStart free with open source tools on your machine. Scale to a unified platform for your organization.", "url": "https://wpnews.pro/news/inside-microsoftsystem64-a-supply-chain-rat-exfiltrating-to-huggingface", "canonical_source": "https://safedep.io/microsoftsystem64-binary-payload-analysis", "published_at": "2026-05-28 12:00:00+00:00", "updated_at": "2026-05-28 08:54:21.524404+00:00", "lang": "en", "topics": ["ai-infrastructure", "ai-tools", "ai-safety", "ai-ethics", "ai-products"], "entities": ["MicrosoftSystem64", "SafeDep", "JFrog Research", "HuggingFace", "Node.js", "js-logger-pack"], "alternates": {"html": "https://wpnews.pro/news/inside-microsoftsystem64-a-supply-chain-rat-exfiltrating-to-huggingface", "markdown": "https://wpnews.pro/news/inside-microsoftsystem64-a-supply-chain-rat-exfiltrating-to-huggingface.md", "text": "https://wpnews.pro/news/inside-microsoftsystem64-a-supply-chain-rat-exfiltrating-to-huggingface.txt", "jsonld": "https://wpnews.pro/news/inside-microsoftsystem64-a-supply-chain-rat-exfiltrating-to-huggingface.jsonld"}}