js-logger-pack Operator Turns Hugging Face into a Malware CDN and Exfiltration Backend

2026-04-23 • Jfrog •

https://research.jfrog.com/post/hugging-face-exfil/

#NPM #T1567.002 #T1115 #T1056.001 #T1543.001 #T1547.001 #T1053.005 #T1195 #T1105 #HuggingFace

Thumbnail for js-logger-pack Operator Turns Hugging Face into a Malware CDN and Exfiltration Backend

Malicious `js-logger-pack` versions used an npm `postinstall` script to download cross-platform `MicrosoftSystem64` Node SEA implants from Hugging Face, giving the operator persistent access on Windows, macOS, and Linux. The implant connects to `195.201.194.107:8010`, logs keystrokes, monitors the clipboard, scans for files and secrets, supports arbitrary file operations and payload deployment, and can clear browser sessions to force reauthentication. JFrog found the current stage abuses private Hugging Face datasets as an exfiltration backend, allowing stolen archives to be stored outside the C2 server. The report also documents infrastructure and persona overlaps around `Lordplay`, `whisdev`, `snipmaxi`, and `jrodacooker.dev`, while cautioning that public evidence supports impersonation and infrastructure linkage rather than definitive real-world attribution.

Indicators of Compromise

Type	Value	First Seen	Last Seen
URL	http://195.201.194.107:8010	2026-05-29	2026-05-29
IPv4	195.201.194.107	2025-04-15	2026-05-29
DOMAIN	copilot-ai.whisdev.org	2026-05-28	2026-05-28
DOMAIN	api-sub.jrodacooker.dev	2025-04-15	2026-04-29

Related Reports

2026-04-15 • 76% Match

Malicious npm Package js-logger-pack Ships a Multi-Platform WebSocket Stealer

Safe Dep

#NPM #T1555 #T1195.002 #T1056.001 #T1552.001 #T1105 #T1547 #HuggingFace

Shares tags: NPM, T1056.001, T1105 • Shares 4 IOCs • Published within a month

2026-05-28 • 72% Match

Inside MicrosoftSystem64: A Supply Chain RAT Exfiltrating to HuggingFace

Safe Dep

#NPM #FamousChollima #T1102.002 #T1119 #T1059.003 #T1567.002 #T1005 #T1113 #T1195.002 #T1056.001 #T1567 #T1543.001 #T1552 #T1547.001 #T1053.005 #T1059.001 #T1053 #T1102 #T1059 #T1195 #T1543 #T1552.004 #T1543.004 #T1547 #T1056 #HuggingFace

Shares tags: NPM, T1567.002, T1056.001 • Shares 3 IOCs

2026-05-20 • 40% Match

North Korean-Linked Threat Actor Targets Developers with New npm Infostealer RAT

Ox Security

#NPM #T1555 #T1115 #T1056.001 #T1552 #T1547.001 #T1053.005

Shares tags: NPM, T1115, T1056.001 • Published within a month

2026-05-14 • 36% Match

Disclosing new PebbleDash-based tools by Kimsuky

Kaspersky

#Kimsuky #Phishing #AppleSeed #PebbleDash #BlackBanshee #VelvetChollima #GitHub #ADS #APT43 #RubySleet #Springtail #HappyDoor #JSE #SparklingPisces #HttpTroy #VSCode #T1059.003 #T1005 #T1041 #T1113 #T1071.001 #T1056.001 #T1027 #T1566.001 #T1547.001 #T1053.005 #T1059.001 #T1105 #T1219 #T1543.003

Shares tags: T1056.001, T1547.001, T1053.005 • Published within a month

2026-05-14 • 36% Match

VELVET CHOLLIMA Infostealer Campaign Using Trading App as Lure

Hybrid Analysis

#Phishing #VelvetChollima #XenoRAT #MoonPeak #T1567.002 #T1056.001 #T1555.003 #T1053.005 #T1105

Shares tags: T1567.002, T1056.001, T1053.005 • Published within a month

2026-04-17 • 36% Match

850 Hostnames, 6 Servers, 1 Kill Chain: Mapping Kimsuky's 2026 Korean Credential Harvesting Machine

Break Glass Intelligence

#Kimsuky #Phishing #T1102.002 #T1082 #T1140 #T1041 #T1113 #T1608.001 #T1071.001 #T1115 #T1083 #T1497 #T1056.001 #T1204.001 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1567 #T1057 #T1059.005 #T1583.006 #T1583.003 #T1204.004 #T1518.001 #T1568.001 #T1566.001 #T1547.001 #T1585.002 #T1056.003 #T1053.005 #T1539 #T1608.005 #T1598.003 #T1590.005 #T1583.001 #T1059.001 #T1036.005

Shares tags: T1115, T1056.001, T1547.001 • Published within a week

« Back