According to GBHackers, a malicious npm package called js-logger-pack was first observed in early April 2026 and evolved across 29 incremental versions into a cross-platform malware . Per GBHackers, the package deploys a core payload named MicrosoftSystem64, an 81 MB stripped ELF binary that also targets Windows and macOS and supports Node.js v20.18.2 single-executable packaging. GBHackers reports the malware connects to a command-and-control server at 195.201.194.107:8010 and implements 24 commands for remote control. The campaign extracts saved credentials from over 15 browser families, targets more than 80 cryptocurrency wallet extensions, compresses and exfiltrates Telegram Desktop tdata, and harvests SSH keys; GBHackers says a valid HuggingFace API token was abused for covert exfiltration. GBHackers also cites subsequent analysis by JFrog on the unusual use of HuggingFace infrastructure. As of May 28, GBHackers reports the C2 server remained operational and the embedded token remained valid at discovery.
What happened
According to GBHackers, a supply-chain malicious npm package named js-logger-pack was first observed in early April 2026 and progressed through 29 incremental versions into a multifunctional . Per GBHackers, the package delivers a second-stage payload called MicrosoftSystem64, described as an 81 MB stripped ELF binary that also runs on Windows and macOS and is packaged using Node.js v20.18.2 single-executable technology. GBHackers reports that the malware establishes a WebSocket connection to a command-and-control server at 195.201.194.107:8010, exposes 24 supported commands for remote control, and remained active as of May 28. GBHackers also reports the operation abused a valid HuggingFace API token for data exfiltration; the token was reported for revocation after discovery. Subsequent analysis by JFrog, cited by GBHackers, highlighted the unusual use of HuggingFace infrastructure for covert data collection.
Technical details
Per GBHackers, the threat harvests browser-stored data across more than 15 browser families, extracts saved credentials and cookies, targets over 80 cryptocurrency wallet extensions for wallet files and extension storage, collects Telegram Desktop tdata to hijack sessions, and exfiltrates SSH private keys such as id_rsa and id_ed25519. The malware's multi-platform packaging and single-binary delivery enable straightforward developer-toolchain integration in compromised supply chains, according to the reported indicators.
Editorial analysis - technical context: Supply-chain attackers commonly evolve benign-seeming packages through many small updates to avoid detection; the reported 29-version escalation matches that pattern. Abuse of third-party cloud or hosting APIs for exfiltration is an emerging trend that complicates detection because traffic appears to legitimate services.
Context and significance
Editorial analysis: For maintainers and security teams, a supply-chain package that morphs into a cross-platform and leverages widely trusted infrastructure for data egress raises both detection and incident-response complexity. The targeting of browser credentials, crypto extensions, Telegram session data, and SSH keys increases downstream risk to both individual developers and organizations that pull dependencies.
What to watch
Editorial analysis: Observers should track revocation of the reported HuggingFace token, takedown of the C2 endpoint GBHackers identified, and any further technical disclosures from JFrog or other researchers that expand IOCs, packaging fingerprints, or command semantics.
Scoring Rationale #
This is a notable supply-chain compromise with multi-platform impact and novel abuse of a public ML infrastructure endpoint for exfiltration, raising detection and response complexity for practitioners.
Practice interview problems based on real data
1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.