MicrosoftSystem64 Malware Uses Hugging Face Datasets to Steal Data From Developers
8 min. read 
Published on
A cross-platform malware payload called MicrosoftSystem64 is using Hugging Face datasets as a stealthy data exfiltration channel after spreading through malicious npm packages. According to the SafeDep analysis, the malware can steal browser credentials, crypto wallet data, Telegram sessions, SSH keys, screenshots, clipboard content, and keystrokes from infected developer systems.
The campaign started with a poisoned npm package named js-logger-pack, which evolved through 29 versions from a simple probe into a full malware dropper. Later versions downloaded MicrosoftSystem64, an 81 MB Node.js Single Executable Application that runs across Windows, Linux, and macOS.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The most unusual part of the operation is the exfiltration path. Instead of sending stolen files directly to a private attacker server, the malware uploads data into attacker-controlled private datasets on Hugging Face, making outbound traffic look like normal activity to a trusted AI platform.
How MicrosoftSystem64 Reaches Developer Systems
The infection chain begins in the open-source supply chain. Developers install what looks like a small logging utility, but a postinstall script runs during installation and pulls the second-stage payload.
The npm install documentation explains that install commands can run build scripts such as preinstall, install, and postinstall scripts. Attackers often abuse that behavior because it gives them code execution before a developer actually imports the package.
JFrog found the same pattern in later js-logger-pack versions. Its JFrog Research report says [email protected] acted as a thin dropper that fetched platform-specific MicrosoftSystem64 binaries from a Hugging Face repository.
| Stage | What Happens | Why It Matters |
|---|---|---|
| npm install | A malicious package runs its install script | The victim does not need to manually run malware |
| Binary download | The package pulls MicrosoftSystem64 from Hugging Face | The payload comes from trusted AI infrastructure |
| Persistence | The malware creates startup entries on the host | It survives reboots across Windows, macOS, and Linux |
| Exfiltration | Stolen files move into private Hugging Face datasets | The traffic blends into normal HTTPS activity |
Why Hugging Face Datasets Help the Malware Hide
Hugging Face is widely used by developers, AI teams, researchers, and enterprise ML workflows. Traffic to the platform may not look suspicious in organizations that already use AI tools and model hubs.
The legitimate Hugging Face dataset documentation describes how users can programmatically upload datasets to the Hub and create private datasets that only the owner or organization members can access. MicrosoftSystem64 abuses that normal workflow for stolen data storage.
This approach gives the attacker an operational advantage. The controller can stay lightweight while Hugging Face handles storage for screenshots, stolen credentials, SSH keys, and other collected files.
What the Malware Can Steal
MicrosoftSystem64 is not a basic downloader. SafeDep describes it as a full remote access trojan and information stealer packaged inside a large Node.js SEA binary.
The payload targets 15 browser families, including Chrome, Edge, Brave, Firefox, Opera, Vivaldi, Safari, Yandex, Chromium, CocCoc, CentBrowser, Opera GX, Chrome Beta, Chrome Canary, and Edge Beta. It also searches for more than 80 cryptocurrency wallet browser extensions.
The malware can also hijack Telegram Desktop sessions, copy SSH keys, monitor the clipboard, log keystrokes, capture screenshots every 60 seconds, and execute remote commands from the attacker’s server.
- Browser-stored credentials and session data
- Cryptocurrency wallet extension data
- Telegram Desktop tdata folders
- SSH keys and known_hosts files
- Clipboard contents
- Keystrokes from native OS APIs
- Periodic desktop screenshots
- Arbitrary files requested by the operator
Persistence Works Across Windows, macOS, and Linux
After execution, MicrosoftSystem64 installs itself using platform-native persistence methods. On Windows, it can create a scheduled task and registry Run entry. On macOS, it uses a LaunchAgent. On Linux, it creates a user-level systemd service and an autostart desktop entry.
The process name also helps the malware blend in. By calling itself MicrosoftSystem64, the payload can look like a legitimate Microsoft-related component during a quick process review.
SafeDep reported that the binary also checks Hugging Face every 24 hours for updates. That allows the attacker to replace the malware with a newer version without repeating the original npm infection path.
| Platform | Persistence Method | Reported Path or Name |
|---|---|---|
| Windows | Scheduled task and registry Run key | \MicrosoftSystem64 and HKCU\Software\Microsoft\Windows\CurrentVersion\Run |
| macOS | LaunchAgent | ~/Library/LaunchAgents/com.launchkeeper.MicrosoftSystem64.plist |
| Linux | systemd user service and XDG autostart | ~/.config/systemd/user/MicrosoftSystem64.service |
JFrog Confirms Hugging Face Exfiltration
JFrog separately analyzed the campaign and found that the operator was using private Hugging Face datasets as a live exfiltration backend. The JFrog write-up also documented the live command-and-control protocol and identified all four Node SEA binaries used across supported platforms.
When the operator triggers an upload, the implant receives a Hugging Face token, a username, a target path, and an upload ID. It compresses the requested data and uploads the archive to a private dataset controlled by the attacker.
The public Hugging Face scanner documentation notes that Hugging Face partnered with JFrog to detect malicious behavior in machine learning models. This case shows that attackers can still abuse trusted collaboration infrastructure in ways that look different from a malicious model upload.
Related Packages and Attribution Clues
Researchers have linked the activity to a broader cluster of malicious logger-style npm packages. The names include js-logger-pack, terminal-logger-utils, ts-logger-pack, pretty-logger-utils, and pinno-loggers.
A separate OX Security report on related npm infostealer activity says terminal-logger-utils showed keylogger, infostealer, and RAT behavior and traced the threat actor to previously documented North Korean-linked campaigns. That attribution should be treated as a threat-intelligence assessment, not a legal identity claim.
The campaign also overlaps with developer-focused attack patterns seen in Contagious Interview activity, where threat actors target programmers through fake job tasks, malicious packages, and open-source tooling lures.
Indicators of Compromise
| Type | Indicator | Description |
|---|---|---|
| IP address | 195[.]201[.]194[.]107:8010 | WebSocket and HTTP command-and-control server |
| File hash | b2954c945b51dbd6fa88ac72338b7fbf76dec7d9909ceada9d36b21330842c97 | MicrosoftSystem64 Linux ELF binary |
| File name | MicrosoftSystem64 | Linux payload name |
| File name | MicrosoftSystem64.exe | Windows payload name |
| File name | MicrosoftSystem64-darwin-x64 | macOS Intel payload |
| File name | MicrosoftSystem64-darwin-arm64 | macOS Apple Silicon payload |
| Hugging Face account | jpeek998 | Reported exfiltration account |
| Hugging Face account | Lordplay | Earlier binary staging account |
| npm package | js-logger-pack | Primary dropper package |
| npm package | terminal-logger-utils | Related dropper package |
| npm package | ts-logger-pack | Dependency proxy to terminal-logger-utils |
| npm package | pretty-logger-utils | Related malicious package |
| npm package | pinno-loggers | Related malicious package |
| C2 hostname | copilot-ai.whisdev[.]org | Secondary hostname on the same IP |
| Registration marker | .registered | First-execution marker in the install directory |
What Developers Should Do Now
Any developer who installed js-logger-pack or related packages should treat the machine as fully compromised. The same applies to build runners and CI/CD systems that installed those dependencies.
Security teams should isolate affected hosts, remove persistence artifacts, rotate credentials, revoke exposed API tokens, replace SSH keys, and move cryptocurrency wallets to new seed phrases from a clean device.
Teams should also review npm install behavior in sensitive environments. The npm ignore-scripts option can stop package scripts from running automatically, although teams must test it because some legitimate packages depend on install scripts.
- Search dependency files and lockfiles for js-logger-pack and related packages.
- Check for MicrosoftSystem64 persistence paths on all developer systems.
- Block or investigate traffic to 195[.]201[.]194[.]107:8010.
- Review outbound traffic to Hugging Face from systems that do not normally use AI tooling.
- Rotate passwords, SSH keys, npm tokens, cloud keys, database secrets, and API tokens.
- Move crypto assets to wallets created on a clean device.
- Rebuild affected CI runners instead of only deleting files.
Why Trusted AI Platforms Are Becoming Abuse Targets
Attackers increasingly abuse developer platforms because those services already sit on allowlists. A request to a known AI hub, package registry, code host, or telemetry endpoint may not trigger the same suspicion as traffic to a new attacker-owned domain.
The legitimate private datasets workflow makes sense for AI teams, but the same feature can hide stolen data if defenders only look for unknown domains and ignore unusual account destinations or upload patterns.
The Hugging Face security scanner page shows that model and repository security has become a platform priority. Even so, organizations still need local controls that detect suspicious package installs, credential access, and unusual data uploads from developer machines.
The Bottom Line
MicrosoftSystem64 shows how modern supply chain malware can use trusted AI infrastructure for both delivery and data theft. The malware does not need a noisy custom exfiltration server when it can upload stolen files to private datasets through normal HTTPS traffic.
The safest response is to assume full compromise on any affected system. The SafeDep report says the payload supports remote commands, keylogging, screenshots, credential theft, and cross-platform persistence, while the OX Security research shows related malicious logger packages continue to target developers through npm.
FAQ
MicrosoftSystem64 is a cross-platform remote access trojan and information stealer delivered through malicious npm packages. It targets Windows, macOS, and Linux systems and can steal credentials, crypto wallet data, SSH keys, screenshots, clipboard content, and keystrokes.
The malware uses Hugging Face to host or retrieve payloads and to upload stolen data into private datasets controlled by the attacker. This can make exfiltration traffic look like normal HTTPS activity to a trusted AI platform.
The main package reported in the campaign is js-logger-pack. Related packages include terminal-logger-utils, ts-logger-pack, pretty-logger-utils, and pinno-loggers.
Affected developers should isolate the system, remove persistence artifacts, rotate all credentials, replace SSH keys, revoke exposed tokens, rebuild affected CI runners, and check for outbound traffic to the reported command-and-control server and suspicious Hugging Face uploads.
It can reduce risk by preventing package install scripts from running automatically. However, teams should test it first because some legitimate packages rely on install scripts to build native modules or prepare assets.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages