A rogue npm package named js-logger-pack has been caught quietly turning Hugging Face, a widely trusted AI model hosting platform, into both a malware delivery network and a stolen data storage backend.
The campaign marks a clear shift in how attackers abuse legitimate cloud services to run supply chain attacks while staying hidden.
The package appeared harmless at first. When developers installed it, a plausible but benign logger loaded into their project, masking the real threat. The actual attack started through a postinstall script that ran automatically during installation.
That script launched a detached background process so the visible npm install command finished normally while a hidden downloader kept running.
Based on the host operating system, it fetched one of four malicious binaries from a public Hugging Face repository controlled by the attacker, identified as Lordplay/system-releases.
JFrog Security researchers identified and extracted the embedded JavaScript payload from all four Node.js Single Executable Application (SEA) binaries across Windows, macOS, and Linux.
Their analysis confirmed that the same cross-platform JavaScript bundle was injected into each container, with all malicious logic packed inside that single bundle.
The four binaries were not separate malware families; they were the same implant wrapped inside four different Node.js runtime containers. Researchers published their detailed findings on April 23, 2026.
Once deployed, the implant established persistence through platform-native methods: scheduled tasks and registry Run keys on Windows, LaunchAgent entries on macOS, and systemd user units on Linux.
It then began sending system information to a hard-coded command-and-control server at 195[.]201[.]194[.]107 over WebSocket. The attacker had a live foothold capable of reading and writing arbitrary files, scanning for credentials, logging keystrokes, monitoring the clipboard, and deploying more payloads.
What made this campaign especially alarming was not just the infection chain but the choice of exfiltration destination. Rather than sending stolen files to a private server, the operator redirected all collected data into private Hugging Face datasets, outsourcing the entire data theft storage to Hugging Face’s own infrastructure.
Hugging Face as the Exfiltration Backend
The most technically striking aspect of this campaign was the use of Hugging Face as a live data theft channel.
.webp)
When the operator triggered an upload task through the C2, the implant received a Hugging Face token, a username, a target path, and an upload ID.
It compressed the requested file or folder into a gzip archive, created or reused a private Hugging Face dataset under the attacker’s account, and uploaded the archive using an embedded Hugging Face hub client.
Once done, the implant notified the Hetzner-hosted controller. Pending uploads were tracked in a local state file and resumed on reconnect, so no stolen data was lost even if the connection dropped.
This gave the attacker a real operational edge. The C2 server never had to store stolen content directly, lowering its exposure and making traffic harder to detect.
The attacker simply pointed the implant at attacker-controlled Hugging Face accounts and let the platform handle storage.
The implant also supported a session-clearing feature that killed browser processes and wiped credentials, forcing users to retype passwords while the keylogger was already running.
Any credentials entered after that forced logout could be captured and sent to a private dataset within minutes.
Rotate all secrets without delay, including AWS keys, SSH keys, npm tokens, database passwords, API keys, and credentials stored in browser profiles.
Remove all persistence artifacts by deleting the MicrosoftSystem64 scheduled task, registry Run key, LaunchAgent entry, or systemd unit depending on the operating system.
Purge the package and clear the npm cache, then run npm config set ignore-scripts true to prevent postinstall hooks from running automatically. Review all package.json dependency changes carefully, including minor patch-level updates.
Any machine that ran js-logger-pack version 1.1.27 should be treated as fully compromised until all secrets are rotated and every persistence artifact is gone.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Malicious npm Package Turns Hugging Face Into Malware CDN and Exfiltration Backend appeared first on Cyber Security News.
