MicrosoftSystem64 Malware Abuses HuggingFace Datasets for Stealthy Data Exfiltration
A cross-platform RAT distributed via poisoned npm packages exfiltrates credentials, crypto wallets, and SSH keys to private HuggingFace datasets, blending malicious traffic with legitimate API calls.
Researchers have uncovered a sophisticated malware campaign dubbed MicrosoftSystem64 that leverages the trusted AI platform HuggingFace as both a hosting service and an exfiltration channel. The malware, a cross-platform remote access trojan (RAT), is distributed through the poisoned npm package js-logger-pack, which has undergone 29 versions since early April 2026. Once installed, the 81 MB binary targets Windows, Linux, and macOS systems, harvesting credentials from 15 browser families, over 80 cryptocurrency wallet extensions, Telegram Desktop sessions, SSH keys, and continuous screenshots. The stolen data is uploaded to private datasets on the attacker's HuggingFace account, making all outbound traffic appear as legitimate HTTPS requests to a well-known AI platform—a technique that evades most network monitoring tools.
The attack chain begins with the npm package js-logger-pack, which evolved from a basic probe into a full malware dropper. After installation, it silently downloads and executes the MicrosoftSystem64 binary, which mimics a legitimate Microsoft process to avoid detection. The malware establishes persistence using platform-native mechanisms: scheduled tasks and registry keys on Windows, LaunchAgents on macOS, and systemd services with autostart entries on Linux. It connects to a remote command server via WebSocket, retrying failed uploads automatically to ensure no data is lost. The malware also updates itself every 24 hours by pulling new binaries from HuggingFace, allowing the operators to evolve their toolset without changing infrastructure.
What sets MicrosoftSystem64 apart is its abuse of HuggingFace's API for data exfiltration. Instead of sending stolen files to a private server, the malware uploads them to private datasets under the attacker's HuggingFace account, organized by machine identity and data category (screenshots, credentials, SSH keys). This technique blends malicious traffic with the vast volume of legitimate HuggingFace API calls, making detection extremely difficult. SafeDep's live probe on May 28 confirmed the attacker's token was still active and recovered over 400 screenshots from two real victims who were being monitored in near real time. The campaign remained fully active as of that date, with the attacker's infrastructure operating without interruption.
The campaign is attributed to the North Korea-linked threat group tracked as Contagious Interview, known for targeting developers through fake job interviews and compromised open-source packages. Multiple npm publisher accounts were used across the campaign, including js-logger-pack, terminal-logger-utils, ts-logger-pack, pretty-logger-utils, and pinno-loggers. Researchers from SafeDep and JFrog independently confirmed the same campaign, with SafeDep's April 15 analysis first identifying the second-stage payload and documenting the HuggingFace abuse. Despite both disclosures, the threat remained active, with victims being watched in real time.
Security teams and developers are strongly advised to scan all project dependencies for packages linked to the jpeek or toskypi cluster, isolate any affected machines, and immediately rotate all credentials, API tokens, SSH keys, and cryptocurrency wallet seed phrases. The malware's ability to abuse trusted infrastructure like HuggingFace marks a significant shift in how attackers move stolen data without being caught, and its cross-platform nature and persistence mechanisms make it a formidable threat to developer environments and enterprise networks alike.