# js-logger-pack Delivers MicrosoftSystem64 Malware for Data Theft > Source: > Published: 2026-05-29 06:52:34.719344+00:00 # js-logger-pack Delivers MicrosoftSystem64 Malware for Data Theft According to GBHackers, a malicious npm package called **js-logger-pack** was first observed in early April 2026 and evolved across **29** incremental versions into a cross-platform malware loader. Per GBHackers, the package deploys a core payload named **MicrosoftSystem64**, an **81 MB** stripped ELF binary that also targets Windows and macOS and supports Node.js v20.18.2 single-executable packaging. GBHackers reports the malware connects to a command-and-control server at **195.201.194.107:8010** and implements **24** commands for remote control. The campaign extracts saved credentials from over **15** browser families, targets more than **80** cryptocurrency wallet extensions, compresses and exfiltrates Telegram Desktop tdata, and harvests SSH keys; GBHackers says a valid **HuggingFace API token** was abused for covert exfiltration. GBHackers also cites subsequent analysis by **JFrog** on the unusual use of HuggingFace infrastructure. As of May 28, GBHackers reports the C2 server remained operational and the embedded token remained valid at discovery. ### What happened According to GBHackers, a supply-chain malicious npm package named **js-logger-pack** was first observed in early April 2026 and progressed through **29** incremental versions into a multifunctional loader. Per GBHackers, the package delivers a second-stage payload called **MicrosoftSystem64**, described as an **81 MB** stripped ELF binary that also runs on Windows and macOS and is packaged using Node.js v20.18.2 single-executable technology. GBHackers reports that the malware establishes a WebSocket connection to a command-and-control server at **195.201.194.107:8010**, exposes **24** supported commands for remote control, and remained active as of May 28. GBHackers also reports the operation abused a valid **HuggingFace API token** for data exfiltration; the token was reported for revocation after discovery. Subsequent analysis by **JFrog**, cited by GBHackers, highlighted the unusual use of HuggingFace infrastructure for covert data collection. ### Technical details Per GBHackers, the threat harvests browser-stored data across more than **15** browser families, extracts saved credentials and cookies, targets over **80** cryptocurrency wallet extensions for wallet files and extension storage, collects Telegram Desktop tdata to hijack sessions, and exfiltrates SSH private keys such as **id_rsa** and **id_ed25519**. The malware's multi-platform packaging and single-binary delivery enable straightforward developer-toolchain integration in compromised supply chains, according to the reported indicators. Editorial analysis - technical context: Supply-chain attackers commonly evolve benign-seeming packages through many small updates to avoid detection; the reported 29-version escalation matches that pattern. Abuse of third-party cloud or hosting APIs for exfiltration is an emerging trend that complicates detection because traffic appears to legitimate services. ### Context and significance Editorial analysis: For maintainers and security teams, a supply-chain package that morphs into a cross-platform loader and leverages widely trusted infrastructure for data egress raises both detection and incident-response complexity. The targeting of browser credentials, crypto extensions, Telegram session data, and SSH keys increases downstream risk to both individual developers and organizations that pull dependencies. ### What to watch Editorial analysis: Observers should track revocation of the reported HuggingFace token, takedown of the C2 endpoint GBHackers identified, and any further technical disclosures from JFrog or other researchers that expand IOCs, packaging fingerprints, or command semantics. ## Scoring Rationale This is a notable supply-chain compromise with multi-platform impact and novel abuse of a public ML infrastructure endpoint for exfiltration, raising detection and response complexity for practitioners. Practice interview problems based on real data 1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with. [Try 250 free problems](/problems)