A malicious npm package named js-logger-pack evolved from harmless probes into a full multi-platform infostealer and later a HuggingFace-hosted binary dropper. Weaponized versions installed a Linux SSH backdoor, exfiltrated Telegram Desktop sessions, stole developer and cloud credentials, targeted 27 crypto wallets, scanned sensitive files, streamed native keylogger data, and established persistence on Windows, macOS, and Linux. The operation used api-sub.jrodacooker.dev and 195.201.194.107:8010 for C2, with later versions downloading MicrosoftSystem64 binaries from a HuggingFace repository. The report does not attribute the activity to a known actor, but leaked source exposed the handle and host comment bink@DESKTOP-N8JGD6T.