Hackers Use Hugging Face for npm Supply Host Second-Stage
Cybersecurity researchers have identified a new and concerning tactic: threat actors are leveraging Hugging Face, a widely trusted platform within the artificial intelligence community, to host...
Cybersecurity researchers have identified a new and concerning tactic: threat actors are leveraging Hugging Face, a widely trusted platform within the artificial intelligence community, to host second-stage malware as part of ongoing npm supply chain attacks.
A threat actor linked to North Korea has embedded second-stage malware inside Hugging Face, the widely used AI and machine learning hub, effectively turning it into a malware delivery channel and a live data exfiltration backend for a sophisticated npm supply chain attack actively targeting software developers worldwide.
The attack began with a deceptively simple npm package called “terminal-logger-utils,” which was designed to look like a routine development utility.
Three additional packages tied to it, pretty-logger-utils, ts-logger-pack, and pinno-loggers, imported and spread the malicious behavior even further, putting any developer who installed them at immediate and serious risk.
The malware was capable of stealing Telegram data, SSH keys, cryptocurrency wallets, browser login databases, cloud configuration files, and environment variables across multiple drives.
Researchers at OX Security identified the malicious packages and traced the threat actor behind them to previously documented North Korean, or DPRK, campaigns. The threat actor account “jpeek895” had been flagged before on kmsec.uk for uploading a very similar npm package with direct ties to DPRK activity.
OX Security said in a report shared with Cyber Security News that the package exhibits keylogger, infostealer, and remote access trojan (RAT) behavior all at once, making it an unusually capable and dangerous threat.
What makes this attack stand out is how cleverly the attacker used Hugging Face to stay hidden from detection. Rather than running their own suspicious servers for malware delivery, they hosted the second-stage binary on Hugging Face’s platform, a site that most security filters treat as safe and trustworthy.
Stolen data was also uploaded to private Hugging Face datasets, meaning the malicious traffic blended seamlessly with everyday AI research activity and easily evaded scrutiny.
The npm maintainer accounts tied to the dependent packages, pvnd3540749, yggedd817513, and jpeek886, each played a role in spreading the infection.
Developers who installed any of the named packages during the active period should assume their environment has been compromised and act without delay.
Hackers Use Hugging Face
The malware’s entry point is a postinstall hook embedded inside the package’s package.json file.
When a developer runs npm install, the hook quietly opens a file called utils.cjs, which is an obfuscated malware dropper that checks the victim’s operating system and then fetches the appropriate binary from Hugging Face.
That downloaded binary is a Node.js Single Executable Application, a bundled file containing the full malicious JavaScript implant inside it.
Once running, it connects back to the attacker’s server over a WebSocket connection, giving the operator full machine control, including the ability to read and write files, execute shell commands, capture screenshots, and inject input.
A parallel background loop also runs at startup, continuously logging keystrokes, polling the clipboard, and sending stolen data to the attacker’s HTTP endpoint. All of this happens silently, with no visible signs to the developer.
Persistence and Self-Update Mechanism
Once the implant lands on a Windows machine, it installs itself under the path %LOCALAPPDATA%MicrosoftSystem64, a directory name deliberately chosen to resemble a legitimate Microsoft system folder.
It then registers a login persistence mechanism through a hidden VBS launcher and a scheduled task, with a registry Run key as a fallback in case the primary methods fail.
On its first run, the malware also checks whether it needs to update itself by reaching out to the operator’s Hugging Face repository. This self-update capability means the attacker can quietly swap out or upgrade the implant without reinfecting the victim.
Security teams are strongly advised to remove the malware from any infected machine immediately, block all network requests to the known indicators of compromise listed below, and perform full key rotation with two-factor authentication enabled.
Developers should treat any postinstall script in unfamiliar packages as untrusted by default, and prefer lockfile-driven installs using npm ci in all CI and build pipeline environments.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| npm Package | terminal-logger-utils | Primary malicious npm package; contains the postinstall hook that triggers the attack chain |
| npm Package | pretty-logger-utils | Dependent malicious package that imports terminal-logger-utils |
| npm Package | ts-logger-pack | Dependent malicious package that imports terminal-logger-utils |
| npm Package | pinno-loggers | Dependent malicious package that imports terminal-logger-utils |
| File Name | utils.cjs | Obfuscated malware dropper; opened by the postinstall hook to download second-stage payload |
| File Path | %LOCALAPPDATA%MicrosoftSystem64 | Persistence installation path used by the implant on Windows machines |
| Hugging Face Repository | Lordplay/system-releases | Attacker-controlled repository used to host the second-stage Node.js SEA binaries |
| HTTP Endpoint | /api/validate/keyboard-events | C2 endpoint used by the implant to exfiltrate keystroke data over HTTP |
| Threat Actor Account | jpeek895 | npm account responsible for uploading the primary malicious package |
| npm Account | pvnd3540749 | Maintainer account linked to the dependent malicious packages |
| npm Account | yggedd817513 | Maintainer account linked to the dependent malicious packages |
| npm Account | jpeek886 | Maintainer account linked to the dependent malicious packages |
| IP Address | 195.201.194.107 | WebSocket C2 server address used by the implant for full machine control |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.