VYPR

npm · Malicious package advisory

Malware

msc-terminal

MAL-2026-4823

Malicious code in msc-terminal (npm)

Details

Part of a multi-package malicious campaign, `msc-terminal` (npm author `nhpkevte1576`) carries the same payload as `eo-terminal` and `logger-draft` — a fully-featured infostealer and remote access trojan (RAT) deployed via a `postinstall` hook. All three packages share the same C2 infrastructure and attack chain.

On installation, the `postinstall` hook copies a large JavaScript agent to a persistent location disguised as `MicrosoftSystem64` and registers it as a system service (systemd on Linux, LaunchAgent on macOS, scheduled task or registry run key on Windows). A sandbox check (CPU count and CPU model string) aborts execution in analysis environments. The install process exits cleanly with `process.exit(0)`, leaving no visible error output.

**C2 infrastructure:** Primary WebSocket/HTTP C2 at `ws://195.201.194.107:8010` (Hetzner Cloud, Germany). Stolen data is also exfiltrated to HuggingFace repository `yszf984308/system-release` via a hardcoded API token.

**Capabilities** (shared with campaign):
- **Keylogger** — keystroke and password capture with offline queuing
- **Clipboard harvesting** — 1,000 ms polling via platform-native tools
- **Screenshot capture and live streaming**
- **Browser credential theft** — Chromium-family and Firefox profile directories
- **Crypto wallet exfiltration** — 20+ desktop wallets
- **SSH backdoor** — exfiltrates SSH keys and injects attacker RSA public key into `authorized_keys`
- **Shell history theft** — 15+ history file formats across all user home directories
- **Environment variable and `.env` file theft** — targets cloud and CI/CD credentials at install time
- **Telegram session theft** — full `tdata/` directory exfiltration
- **Cloud credential theft** — AWS, Azure, GCP, Kubernetes, Docker, GnuPG
- **Recursive filesystem scan** — certificate, key, and wallet files uploaded to HuggingFace
- **Remote command execution** and interactive terminal sessions
- **Self-update** via HuggingFace-hosted native binaries

---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (eec05fa3df0248b788635026129e1ca42d37887fe05235f20f2e9ad6f0ad6f27)
Cross-platform infostealer/RAT. postinstall installs obfuscated payload.js as 'MicrosoftSystem64' persistence (schtasks/launchctl/systemd). Keylogger w/ password-field detection, 27-wallet drainer, browser+SSH cred exfil, HuggingFace as covert C2.

Compromised versions (1)

  • 3.2.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.