A newly discovered malware called MicrosoftSystem64 has been quietly stealing data from infected computers by routing stolen files through HuggingFace, the popular AI platform used by researchers and developers worldwide.
The malware disguises itself as a legitimate Microsoft process, making it significantly harder for security tools to flag it as a threat. Its ability to abuse trusted, widely used infrastructure marks a serious shift in how attackers move stolen data without being caught.
The attack starts with a poisoned npm package called js-logger-pack, which went through 29 versions between early April 2026, growing from a basic probe into a full malware dropper.
Once a developer installs the package, it silently downloads and executes MicrosoftSystem64, an 81 MB binary that runs on Windows, Linux, and macOS without needing any separate software pre-installed.
From that point, the malware connects to a remote server, begins harvesting data, and locks itself into the system to survive restarts.
Researchers from SafeDep said in a report shared with Cyber Security News (CSN) that their April 15 analysis first identified the second-stage payload and documented how it abuses HuggingFace as both a binary hosting service and a data exfiltration channel. JFrog Research independently confirmed the same campaign a week later.
Despite both disclosures, the threat remained fully active as of May 28, 2026, with victims being monitored in real time and the attacker’s infrastructure still operating without interruption.
The malware is a remote access trojan with sweeping capabilities. It targets credentials from 15 browser families, lifts data from over 80 cryptocurrency wallet extensions, hijacks Telegram Desktop sessions, copies SSH keys, runs a continuous keylogger, and takes screenshots every 60 seconds.
All of this is uploaded to private datasets on HuggingFace under the attacker’s account. With 24 supported remote commands, the operators have near complete control over any infected system.
Attribution links the campaign to a North Korea-connected threat group tracked as Contagious Interview, known for targeting developers through fake job interviews and compromised open-source packages.
Multiple npm publisher accounts were used across the campaign, including js-logger-pack, terminal-logger-utils, ts-logger-pack, pretty-logger-utils, and pinno-loggers.
Any developer who installed packages from the jpeek or toskypi cluster should treat the machine as compromised and rotate all credentials immediately.
MicrosoftSystem64 Malware Uses HuggingFace Datasets
What sets this malware apart is how it moves stolen data. Instead of sending files back to a private server, MicrosoftSystem64 uploads them to private HuggingFace datasets using the platform’s own API.
This means all outbound traffic looks like normal, authenticated HTTPS requests to a well-known AI platform, the type of traffic most network monitoring tools would not flag as suspicious.
Each victim gets a separate set of private datasets on the attacker’s HuggingFace account, organized by machine identity and data category covering screenshots, credentials, and SSH keys.
The malware also pulls updates from HuggingFace every 24 hours, replacing its own binary when a newer version is available. SafeDep’s live probe on May 28 confirmed the attacker’s token was still active and recovered over 400 screenshots from two real victims who were being watched in near real time.
Supply Chain Entry and Cross-Platform Persistence
The infection path runs through the open-source supply chain, using npm packages crafted to look like routine developer utilities.
Once installed, the malware digs in using the native persistence tools of each platform: scheduled tasks and registry keys on Windows, LaunchAgents on macOS, and systemd services with autostart entries on Linux.
It labels its own process as MicrosoftSystem64 in system listings, closely mimicking the appearance of a genuine Microsoft background service.
The malware reconnects to its command server over WebSocket after any interruption and retries failed uploads automatically, so a temporary outage does not cost the attacker any stolen data.
Security teams and developers are strongly advised to scan all project dependencies for packages linked to the jpeek or toskypi cluster, isolate any affected machines, and immediately rotate all credentials, API tokens, SSH keys, and cryptocurrency wallet seed phrases without delay.
Indicators of Compromise (IoCs)
| Type | Indicator | Description |
|---|
| Type | Indicator | Description |
|---|---|---|
| IP Address | 195[.]201[.]194[.]107:8010 | C2 server (WebSocket + HTTP), hosted on Hetzner Online GmbH, DE, AS24940 |
| File Hash (SHA-256) | b2954c945b51dbd6fa88ac72338b7fbf76dec7d9909ceada9d36b21330842c97 | MicrosoftSystem64 Linux ELF binary (v1.0.8) |
| File Name | MicrosoftSystem64 | Malicious binary — Linux variant |
| File Name | MicrosoftSystem64.exe | Malicious binary — Windows variant |
| File Name | MicrosoftSystem64-darwin-x64 | Malicious binary — macOS (Intel) variant |
| File Name | MicrosoftSystem64-darwin-arm64 | Malicious binary — macOS (Apple Silicon) variant |
| URL | hxxps://huggingface[.]co/jpeek998/system-releases/resolve/main | HuggingFace binary hosting and self-update endpoint |
| HuggingFace Account | jpeek998 | Active exfiltration account (display name “Jlob”), created 2026-05-15 |
| HuggingFace Account | Lordplay | Earlier binary staging account (system-releases repo), file access disabled by HuggingFace |
| npm Package | js-logger-pack | Primary dropper package (v1.1.22+ acts as MicrosoftSystem64 dropper) |
| npm Package | terminal-logger-utils | May 2026 dropper, RC4/XOR obfuscated |
| npm Package | ts-logger-pack | Dependency proxy to terminal-logger-utils |
| npm Package | pretty-logger-utils | May 2026 dropper under jpeek895 cluster |
| npm Package | pinno-loggers | May 2026 dropper under jpeek895 cluster |
| npm Account | jpeek868 / jpeek886 / jpeek895 | Rotated npm publisher accounts sharing Lordplay HuggingFace infrastructure |
| npm Account | toskypi | Persistent author identity across campaigns (email: tosky.pi1016@gmail.com) |
| HuggingFace Token (encrypted) | MlohU84sIc82dTpY/CgE3jdOOWD1OwnyDXYRds4bG+cUeBRH7w== | Encrypted HuggingFace API token embedded in binary config (reported for revocation) |
| XOR Encryption Key | XOR key used to decrypt hardcoded binary configuration values | |
| Hostname | copilot-ai.whisdev[.]org | Secondary C2 hostname on same IP (195[.]201[.]194[.]107), linked to whisdev/ptcbink persona |
| SSH Key Comment | bink@DESKTOP-N8JGD6T | Leaked SSH key comment from js-logger-pack v1.1.5, attacker’s development machine |
| URL | hxxp://195[.]201[.]194[.]107:8010/api/validate/hf-upload-complete | C2 endpoint that receives HuggingFace upload completion notifications |
| Persistence — Windows | \MicrosoftSystem64 (scheduled task); HKCU\Software\Microsoft\Windows\CurrentVersion\Run | Windows persistence mechanisms used by the malware |
| Persistence — macOS | ~/Library/LaunchAgents/com.launchkeeper.MicrosoftSystem64.plist | macOS LaunchAgent persistence path |
| Persistence — Linux | ~/.config/systemd/user/MicrosoftSystem64.service; ~/.config/autostart/MicrosoftSystem64.desktop | Linux systemd and XDG autostart persistence paths |
| Install Directory | ~/.local/share/MicrosoftSystem64 (Linux); ~/Library/Application Support/MicrosoftSystem64 (macOS); %LOCALAPPDATA%\MicrosoftSystem64 (Windows) | Per-platform install directories |
| Registration Marker | .registered (ISO timestamp file in install directory) | First-execution marker written by malware to track installation |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
