A malicious npm package, js-logger-pack, evolved from a probe into a dropper for MicrosoftSystem64, a cross-platform Node.js Single Executable Application that functions as an infostealer and RAT. The payload targets browser credentials, more than 80 cryptocurrency wallet extensions, Telegram Desktop sessions, SSH keys, clipboard data, keystrokes, and screenshots across Linux, Windows, and macOS. It connects to a WebSocket C2 at 195.201.194.107:8010, accepts 24 remote task types including shell execution and file theft, and exfiltrates data to attacker-controlled HuggingFace datasets using an embedded token. SafeDep found the infrastructure still active on May 28, with valid HuggingFace credentials, accepting C2 connectivity, and real victims under active surveillance, showing that public disclosure had not immediately disrupted the operation.