Podcast Episode
Once running, the implant establishes persistence using platform-native mechanisms such as scheduled tasks and registry keys on Windows, LaunchAgents on macOS, and systemd user units on Linux. It then opens a WebSocket connection to a hard-coded command-and-control server. Its capabilities include keystroke logging, clipboard monitoring, credential scanning, arbitrary file read and write, Telegram data exfiltration, and the ability to download and execute additional payloads.
Malicious npm Package Weaponises Hugging Face as Data Theft Backend
April 24, 2026
0:00
2:22
Security researchers have uncovered a malicious npm package, js-logger-pack, that turns Hugging Face into both a malware distribution network and a live exfiltration backend. The package uses private datasets to hide stolen data inside legitimate AI platform traffic, making detection extremely difficult.
A Supply Chain Attack Hiding in Plain Sight
Security researchers at JFrog have disclosed a sophisticated supply chain attack in which a malicious npm package, js-logger-pack, has been weaponising Hugging Face, one of the most widely used platforms in artificial intelligence, as both a malware content delivery network and a backend for exfiltrating data from compromised developer machines.How the Attack Works
The package, tracked as MAL-2026-2827, disguises itself as a benign logging library. When a developer runs npm install, a hidden postinstall script silently launches a background downloader that fetches one of four platform-specific binaries from a public Hugging Face repository called Lordplay/system-releases. The binaries cover Windows, macOS on both x64 and arm64, and Linux, and each one is a Node.js Single Executable Application container wrapping an identical JavaScript implant.Once running, the implant establishes persistence using platform-native mechanisms such as scheduled tasks and registry keys on Windows, LaunchAgents on macOS, and systemd user units on Linux. It then opens a WebSocket connection to a hard-coded command-and-control server. Its capabilities include keystroke logging, clipboard monitoring, credential scanning, arbitrary file read and write, Telegram data exfiltration, and the ability to download and execute additional payloads.
Hugging Face as a Covert Backend
What distinguishes this campaign is the use of private Hugging Face datasets as a live exfiltration channel. When an operator issues a command, the implant archives targeted files, creates or reuses a private dataset under an attacker-controlled account, and uploads stolen data directly. This allows malicious traffic to blend in seamlessly with legitimate AI platform activity, meaning the command-and-control server never has to host bulk stolen content itself.False Flags and Attribution
JFrog's investigation uncovered deliberate identity manipulation, with the attacker planting false git commit metadata impersonating an engineering VP at a well-known prediction market firm. Researchers assessed with high confidence that this was an attempt to muddy attribution, with the real infrastructure tracing back to a cluster of linked personas connected to Web3 tooling.Remediation
Anyone who installed js-logger-pack versions 1.1.0 through 1.1.27 is urged to treat their environment as fully compromised, rotating all accessible secrets including AWS keys, npm tokens, SSH keys, database credentials, and wallet seeds. The disclosure arrives amid a broader wave of supply chain attacks targeting developer ecosystems.Published April 24, 2026 at 7:41pm
