Critical npm Package Hijacks Hugging Face as Malware CDN
Key Takeaways A malicious npm package, `js-logger-pack`, was found to exploit Hugging Face, an AI model hosting platform, as both a malware distribution channel and a data exfiltration hub. The...
Key Takeaways
- A malicious npm package, `js-logger-pack`, was found to exploit Hugging Face, an AI model hosting platform, as both a malware distribution channel and a data exfiltration hub.
- The attack leverages a `postinstall` script to deploy platform-specific malware, establishing persistence across Windows, macOS, and Linux systems.
- Compromised systems are exposed to extensive data theft, including credentials, files, and keystrokes, with stolen data discreetly stored in private Hugging Face datasets.
- JFrog Security researchers identified the threat on April 23, 2026, and recommend immediate action for systems that installed `js-logger-pack` version 1.1.27.
A recently uncovered malicious npm package, `js-logger-pack`, has transformed Hugging Face, a widely recognized platform for hosting AI models, into a dual-purpose infrastructure for distributing malware and exfiltrating sensitive data. This sophisticated campaign highlights a concerning evolution in how threat actors are exploiting legitimate cloud services to conduct supply chain attacks while maintaining a low profile, as detailed in a recent report.
Table Of Content
The Covert Infection Chain
Initially, the `js-logger-pack` package appeared innocuous, presenting itself as a benign logger. However, upon installation by unsuspecting developers, the true threat was activated through a `postinstall` script. This script executed automatically, initiating a hidden downloader as a detached background process, allowing the visible npm installation to complete without raising suspicion.
The downloader then retrieved one of four malicious binaries from a public Hugging Face repository, identified as Lordplay/system-releases, controlled by the attacker. These binaries were tailored to the host operating system.
Researchers at JFrog Security successfully extracted the embedded JavaScript payload from all four Node.js Single Executable Application (SEA) binaries, covering Windows, macOS, and Linux. Their analysis confirmed that the same cross-platform JavaScript bundle, containing all malicious logic, was injected into each container. This indicated that the four binaries were not distinct malware families but rather the identical implant wrapped within different Node.js runtime environments. JFrog published their comprehensive findings on April 23, 2026.
Establishing Persistence and Control
Once deployed, the malware established persistence using native operating system mechanisms. On Windows, it utilized scheduled tasks and registry Run keys. For macOS, LaunchAgent entries were created, and on Linux, systemd user units ensured its continued operation. The implant then initiated communication with a hard-coded command-and-control (C2) server at 195[.]201[.]194[.]107 via WebSocket, transmitting system information.
This provided the attacker with a live foothold, enabling a wide range of malicious activities, including reading and writing arbitrary files, scanning for credentials, logging keystrokes, monitoring clipboard data, and deploying additional payloads.
Hugging Face as the Exfiltration Backend
A particularly alarming aspect of this campaign was the attacker’s innovative use of Hugging Face as a live data exfiltration channel. Instead of relying on private servers to store stolen data, the threat actor redirected all collected information into private Hugging Face datasets, effectively outsourcing the entire data theft storage to Hugging Face’s own robust infrastructure.

When an upload task was triggered by the C2, the implant received a Hugging Face token, a username, a target path, and an upload ID. It then compressed the specified file or folder into a gzip archive, created or reused a private Hugging Face dataset under the attacker’s account, and uploaded the archive using an embedded Hugging Face hub client. Upon successful upload, the implant notified the Hetzner-hosted controller. To ensure data integrity, pending uploads were tracked in a local state file and resumed automatically upon reconnection, preventing any loss of stolen data even if the connection was interrupted.
This strategy offered the attacker a significant operational advantage by minimizing the C2 server’s exposure and making traffic detection more challenging. By leveraging Hugging Face for storage, the attacker simply directed the implant to attacker-controlled accounts, offloading the storage burden to the platform. Furthermore, the implant included a session-clearing feature that could terminate browser processes and wipe credentials, forcing users to re-enter passwords while the keylogger was actively running. Any credentials entered after such a forced logout could be swiftly captured and sent to a private dataset within minutes.
What You Should Do
- Immediately rotate all secrets, including AWS keys, SSH keys, npm tokens, database passwords, API keys, and credentials stored in browser profiles.
- Remove all persistence artifacts: delete the `MicrosoftSystem64` scheduled task, registry Run key, LaunchAgent entry, or systemd user unit, depending on the affected operating system.
- Purge the malicious package and clear the npm cache. Subsequently, run
npm config set ignore-scripts trueto prevent `postinstall` hooks from executing automatically. - Thoroughly review all `package.json` dependency changes, including minor patch-level updates, for any unauthorized modifications.
- Any machine that installed `js-logger-pack` version 1.1.27 should be considered fully compromised until all secrets have been rotated and all persistence artifacts have been eradicated.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.