terminal-logger-utils

Details

terminal-logger-utils is a malicious npm package that when installed executes a postinstall hook that opens utils.cjs, an obfuscated malware dropper. The dropper checks the current system, downloads a platform-specific second-stage binary from Hugging Face, and executes it.

The second-stage payload is a bundled Node.js executable with embedded malicious JavaScript that provides keylogger, infostealer, and RAT behavior. It collects clipboard and keyboard events, tracks password-field typing, steals sensitive local data including Telegram Desktop sessions, browser login databases, crypto wallets, SSH keys, cloud configurations, environment variables, and keyword-matched files, and connects to a remote server for full machine control.

Compromised versions (2)

• 1.1.0
• 1.1.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.