A Supply Chain Rat Exfiltrating to HuggingFace
A malicious npm package named js-logger-pack has evolved into a sophisticated remote access trojan (RAT) called MicrosoftSystem64. This malware exfiltrates data through HuggingFace and targets various systems, including cryptocurrency wallets and browsers. Despite being reported, the threat remains active, with ongoing surveillance of victims.
- ▪The js-logger-pack npm package evolved through 29 versions, becoming a full WebSocket stealer and binary dropper.
- ▪MicrosoftSystem64 is a multi-platform RAT that exfiltrates data to HuggingFace datasets and can execute 24 distinct remote commands.
- ▪The malware targets over 80 cryptocurrency wallet extensions and includes features like a cross-platform keylogger and periodic screenshot capture.
Opening excerpt (first ~120 words) tap to expand
Back to Blog Inside MicrosoftSystem64: A Supply Chain RAT Exfiltrating to HuggingFaceMalware SafeDep Team• May 28, 2026 • 19 min readTable of Contentsfunction l(){const t=document.querySelectorAll(".prose h1, .prose h2"),e=document.getElementById("toc-nav");if(!e||0===t.length)return[];const n=Array.from(t).map(((t,e)=>{const n=t.id||`heading-${e}`;return t.id=n,{id:n,text:t.textContent||"",level:parseInt(t.tagName.charAt(1),10)}}));return e.innerHTML="",n.forEach((t=>{const n=document.createElement("a");n.href=`#${t.id}`,n.textContent=t.text,n.dataset.level=t.level.toString(),n.className=`\n block text-body1-regular font-body transition-colors duration-200 hover:text-primary-300 truncate lg:max-w-[228px]\n ${1===t.level?"pl-0 text-neutral-300 font-medium":"pl-4 text-neutral-400"}\n…
Excerpt limited to ~120 words for fair-use compliance. The full article is at SafeDep - Real-time Open Source Software Supply Chain Security.
Discussion
0 comments
