{"slug": "js-logger-pack-delivers-microsoftsystem64-malware-for-data-theft", "title": "js-logger-pack Delivers MicrosoftSystem64 Malware for Data Theft", "summary": "A malicious npm package named js-logger-pack, first observed in early April 2026, evolved across 29 versions into a cross-platform malware loader that deploys an 81 MB payload called MicrosoftSystem64. The malware connects to a command-and-control server at 195.201.194.107:8010, executes 24 remote commands, and extracts saved credentials from over 15 browser families, targets more than 80 cryptocurrency wallet extensions, and harvests Telegram Desktop data and SSH keys. The campaign abused a valid HuggingFace API token for covert data exfiltration, and the C2 server remained operational as of May 28.", "body_md": "# js-logger-pack Delivers MicrosoftSystem64 Malware for Data Theft\n\nAccording to GBHackers, a malicious npm package called **js-logger-pack** was first observed in early April 2026 and evolved across **29** incremental versions into a cross-platform malware loader. Per GBHackers, the package deploys a core payload named **MicrosoftSystem64**, an **81 MB** stripped ELF binary that also targets Windows and macOS and supports Node.js v20.18.2 single-executable packaging. GBHackers reports the malware connects to a command-and-control server at **195.201.194.107:8010** and implements **24** commands for remote control. The campaign extracts saved credentials from over **15** browser families, targets more than **80** cryptocurrency wallet extensions, compresses and exfiltrates Telegram Desktop tdata, and harvests SSH keys; GBHackers says a valid **HuggingFace API token** was abused for covert exfiltration. GBHackers also cites subsequent analysis by **JFrog** on the unusual use of HuggingFace infrastructure. As of May 28, GBHackers reports the C2 server remained operational and the embedded token remained valid at discovery.\n\n### What happened\n\nAccording to GBHackers, a supply-chain malicious npm package named **js-logger-pack** was first observed in early April 2026 and progressed through **29** incremental versions into a multifunctional loader. Per GBHackers, the package delivers a second-stage payload called **MicrosoftSystem64**, described as an **81 MB** stripped ELF binary that also runs on Windows and macOS and is packaged using Node.js v20.18.2 single-executable technology. GBHackers reports that the malware establishes a WebSocket connection to a command-and-control server at **195.201.194.107:8010**, exposes **24** supported commands for remote control, and remained active as of May 28. GBHackers also reports the operation abused a valid **HuggingFace API token** for data exfiltration; the token was reported for revocation after discovery. Subsequent analysis by **JFrog**, cited by GBHackers, highlighted the unusual use of HuggingFace infrastructure for covert data collection.\n\n### Technical details\n\nPer GBHackers, the threat harvests browser-stored data across more than **15** browser families, extracts saved credentials and cookies, targets over **80** cryptocurrency wallet extensions for wallet files and extension storage, collects Telegram Desktop tdata to hijack sessions, and exfiltrates SSH private keys such as **id_rsa** and **id_ed25519**. The malware's multi-platform packaging and single-binary delivery enable straightforward developer-toolchain integration in compromised supply chains, according to the reported indicators.\n\nEditorial analysis - technical context: Supply-chain attackers commonly evolve benign-seeming packages through many small updates to avoid detection; the reported 29-version escalation matches that pattern. Abuse of third-party cloud or hosting APIs for exfiltration is an emerging trend that complicates detection because traffic appears to legitimate services.\n\n### Context and significance\n\nEditorial analysis: For maintainers and security teams, a supply-chain package that morphs into a cross-platform loader and leverages widely trusted infrastructure for data egress raises both detection and incident-response complexity. The targeting of browser credentials, crypto extensions, Telegram session data, and SSH keys increases downstream risk to both individual developers and organizations that pull dependencies.\n\n### What to watch\n\nEditorial analysis: Observers should track revocation of the reported HuggingFace token, takedown of the C2 endpoint GBHackers identified, and any further technical disclosures from JFrog or other researchers that expand IOCs, packaging fingerprints, or command semantics.\n\n## Scoring Rationale\n\nThis is a notable supply-chain compromise with multi-platform impact and novel abuse of a public ML infrastructure endpoint for exfiltration, raising detection and response complexity for practitioners.\n\nPractice interview problems based on real data\n\n1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.\n\n[Try 250 free problems](/problems)", "url": "https://wpnews.pro/news/js-logger-pack-delivers-microsoftsystem64-malware-for-data-theft", "canonical_source": "https://letsdatascience.com/news/js-logger-pack-delivers-microsoftsystem64-malware-for-data-t-f8c25532", "published_at": "2026-05-29 06:52:34.719344+00:00", "updated_at": "2026-05-29 06:52:38.753869+00:00", "lang": "en", "topics": ["ai-infrastructure", "ai-safety", "ai-policy"], "entities": ["js-logger-pack", "MicrosoftSystem64", "GBHackers", "JFrog", "HuggingFace"], "alternates": {"html": "https://wpnews.pro/news/js-logger-pack-delivers-microsoftsystem64-malware-for-data-theft", "markdown": "https://wpnews.pro/news/js-logger-pack-delivers-microsoftsystem64-malware-for-data-theft.md", "text": "https://wpnews.pro/news/js-logger-pack-delivers-microsoftsystem64-malware-for-data-theft.txt", "jsonld": "https://wpnews.pro/news/js-logger-pack-delivers-microsoftsystem64-malware-for-data-theft.jsonld"}}