What happened
According to GBHackers, a supply-chain malicious npm package named js-logger-pack was first observed in early April 2026 and progressed through 29 incremental versions into a multifunctional loader. Per GBHackers, the package delivers a second-stage payload called MicrosoftSystem64, described as an 81 MB stripped ELF binary that also runs on Windows and macOS and is packaged using Node.js v20.18.2 single-executable technology. GBHackers reports that the malware establishes a WebSocket connection to a command-and-control server at 195.201.194.107:8010, exposes 24 supported commands for remote control, and remained active as of May 28. GBHackers also reports the operation abused a valid HuggingFace API token for data exfiltration; the token was reported for revocation after discovery. Subsequent analysis by JFrog, cited by GBHackers, highlighted the unusual use of HuggingFace infrastructure for covert data collection.
Technical details
Per GBHackers, the threat harvests browser-stored data across more than 15 browser families, extracts saved credentials and cookies, targets over 80 cryptocurrency wallet extensions for wallet files and extension storage, collects Telegram Desktop tdata to hijack sessions, and exfiltrates SSH private keys such as id_rsa and id_ed25519. The malware's multi-platform packaging and single-binary delivery enable straightforward developer-toolchain integration in compromised supply chains, according to the reported indicators.
Editorial analysis - technical context: Supply-chain attackers commonly evolve benign-seeming packages through many small updates to avoid detection; the reported 29-version escalation matches that pattern. Abuse of third-party cloud or hosting APIs for exfiltration is an emerging trend that complicates detection because traffic appears to legitimate services.
Context and significance
Editorial analysis: For maintainers and security teams, a supply-chain package that morphs into a cross-platform loader and leverages widely trusted infrastructure for data egress raises both detection and incident-response complexity. The targeting of browser credentials, crypto extensions, Telegram session data, and SSH keys increases downstream risk to both individual developers and organizations that pull dependencies.
What to watch
Editorial analysis: Observers should track revocation of the reported HuggingFace token, takedown of the C2 endpoint GBHackers identified, and any further technical disclosures from JFrog or other researchers that expand IOCs, packaging fingerprints, or command semantics.
Key Points
- 1js-logger-pack evolved across 29 npm versions into a multi-platform loader, enabling prolonged supply-chain compromise (GBHackers).
- 2Attackers reportedly used a valid HuggingFace API token for covert exfiltration, complicating network-based detection (GBHackers, JFrog).
- 3The malware targets browsers, crypto extensions, Telegram sessions, and SSH keys, raising broad credential and session-theft risk for developers and users.
Scoring Rationale
This is a notable supply-chain compromise with multi-platform impact and novel abuse of a public ML infrastructure endpoint for exfiltration, raising detection and response complexity for practitioners.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems

