js-logger-pack Turns Hugging Face Into Malware CDN

A malicious npm package, js-logger-pack, has been observed using a postinstall hook to silently run a detached downloader that pulls cross-platform payloads from Hugging Face, effectively turning Hugging Face into a malware CDN and a live exfiltration backend. The attacker-hosted repository Lordplay/system-releases contained four Node.js Single Executable Application (SEA) binaries that each unpack and run the same JavaScript implant. Researchers published detailed findings on April 23, 2026.

The initial compromise relies on an innocuous-looking logging package whose postinstall script launches a background process so npm install appears to succeed normally. That process fetches one of four platform-wrapped SEA binaries from the public Hugging Face repo Lordplay/system-releases and executes the embedded JavaScript payload. The implant implements persistence via platform-native mechanisms and maintains a live connection:

• •Persistence methods observed: Run registry keys and scheduled tasks on Windows, LaunchAgent entries on macOS, and systemd user units on Linux.
• •Network and control: a persistent WebSocket connection to 195.201.194.107, enabling interactive command-and-control.
• •Capabilities of the implant include file system read/write, credential scanning, keystroke logging, clipboard monitoring, filesystem exfiltration to Hugging Face-hosted artifacts, and the ability to fetch and execute additional payloads.

This campaign is an escalation in supply chain technique. Attackers already abuse cloud object storage and code registries; here they exploit an AI model hosting platform that development and research teams treat as a trusted artifact registry. Using Hugging Face as both a distribution CDN and an exfiltration sink reduces attacker infrastructure costs and increases stealth because traffic to model repos is common in ML pipelines. Packaging the same JavaScript implant inside multiple SEA wrappers simplifies cross-platform distribution while avoiding separate malware families. For ML practitioners, the risk model changes: model hosting services are no longer just content distributors, they are potential command-and-control and storage endpoints.

The attack underlines predictable mitigations you should apply now. Treat any postinstall script as untrusted by default, prefer lockfile-driven installs with npm ci, and restrict transient network egress for build and CI environments. Integrate artifact provenance and SBOM checks into model and dependency pipelines, scan public model repos referenced in deployment manifests, and require authenticated and integrity-checked downloads for runtime assets.

Expect takedowns and package removals from npm and Hugging Face, plus scanning and remediation guidance from security vendors. Monitor for similar campaigns that substitute other public artifact hosts as exfiltration or CDN layers, and watch for vendor policy changes that restrict anonymous repository artifacts or add integrity verification by default.