CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 22, 2026

Hackers Use Hugging Face to Host Second-Stage Malware for npm Supply Chain Attack

Cybersecurity News Archived May 22, 2026 ✓ Full text saved

Hackers have found a new and alarming way to weaponize one of the most trusted platforms in the AI world. A threat actor linked to North Korea has embedded second-stage malware inside Hugging Face, the widely used AI and machine learning hub, effectively turning it into a malware delivery channel and a live data exfiltration […] The post Hackers Use Hugging Face to Host Second-Stage Malware for npm Supply Chain Attack appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Hackers Use Hugging Face to Host Second-Stage Malware for npm Supply Chain Attack By Tushar Subhra Dutta May 22, 2026 Hackers have found a new and alarming way to weaponize one of the most trusted platforms in the AI world. A threat actor linked to North Korea has embedded second-stage malware inside Hugging Face, the widely used AI and machine learning hub, effectively turning it into a malware delivery channel and a live data exfiltration backend for a sophisticated npm supply chain attack actively targeting software developers worldwide. The attack began with a deceptively simple npm package called “terminal-logger-utils,” which was designed to look like a routine development utility. Three additional packages tied to it, pretty-logger-utils, ts-logger-pack, and pinno-loggers, imported and spread the malicious behavior even further, putting any developer who installed them at immediate and serious risk. The malware was capable of stealing Telegram data, SSH keys, cryptocurrency wallets, browser login databases, cloud configuration files, and environment variables across multiple drives. Researchers at OX Security identified the malicious packages and traced the threat actor behind them to previously documented North Korean, or DPRK, campaigns. The threat actor account “jpeek895” had been flagged before on kmsec.uk for uploading a very similar npm package with direct ties to DPRK activity.  OX Security said in a report shared with Cyber Security News that the package exhibits keylogger, infostealer, and remote access trojan (RAT) behavior all at once, making it an unusually capable and dangerous threat. What makes this attack stand out is how cleverly the attacker used Hugging Face to stay hidden from detection. Rather than running their own suspicious servers for malware delivery, they hosted the second-stage binary on Hugging Face’s platform, a site that most security filters treat as safe and trustworthy. Stolen data was also uploaded to private Hugging Face datasets, meaning the malicious traffic blended seamlessly with everyday AI research activity and easily evaded scrutiny. The npm maintainer accounts tied to the dependent packages, pvnd3540749, yggedd817513, and jpeek886, each played a role in spreading the infection. Developers who installed any of the named packages during the active period should assume their environment has been compromised and act without delay. Hackers Use Hugging Face The malware’s entry point is a postinstall hook embedded inside the package’s package.json file. When a developer runs npm install, the hook quietly opens a file called utils.cjs, which is an obfuscated malware dropper that checks the victim’s operating system and then fetches the appropriate binary from Hugging Face. Attack chain (Source – OX-Security) That downloaded binary is a Node.js Single Executable Application, a bundled file containing the full malicious JavaScript implant inside it. Once running, it connects back to the attacker’s server over a WebSocket connection, giving the operator full machine control, including the ability to read and write files, execute shell commands, capture screenshots, and inject input. A parallel background loop also runs at startup, continuously logging keystrokes, polling the clipboard, and sending stolen data to the attacker’s HTTP endpoint. All of this happens silently, with no visible signs to the developer. Persistence and Self-Update Mechanism Once the implant lands on a Windows machine, it installs itself under the path %LOCALAPPDATA%\MicrosoftSystem64, a directory name deliberately chosen to resemble a legitimate Microsoft system folder. It then registers a login persistence mechanism through a hidden VBS launcher and a scheduled task, with a registry Run key as a fallback in case the primary methods fail. On its first run, the malware also checks whether it needs to update itself by reaching out to the operator’s Hugging Face repository. This self-update capability means the attacker can quietly swap out or upgrade the implant without reinfecting the victim. Security teams are strongly advised to remove the malware from any infected machine immediately, block all network requests to the known indicators of compromise listed below, and perform full key rotation with two-factor authentication enabled. Developers should treat any postinstall script in unfamiliar packages as untrusted by default, and prefer lockfile-driven installs using npm ci in all CI and build pipeline environments. Indicators of Compromise (IoCs):- Type Indicator Description npm Package terminal-logger-utils Primary malicious npm package; contains the postinstall hook that triggers the attack chain npm Package pretty-logger-utils Dependent malicious package that imports terminal-logger-utils npm Package ts-logger-pack Dependent malicious package that imports terminal-logger-utils npm Package pinno-loggers Dependent malicious package that imports terminal-logger-utils File Name utils.cjs Obfuscated malware dropper; opened by the postinstall hook to download second-stage payload File Path %LOCALAPPDATA%\MicrosoftSystem64 Persistence installation path used by the implant on Windows machines Hugging Face Repository Lordplay/system-releases Attacker-controlled repository used to host the second-stage Node.js SEA binaries HTTP Endpoint /api/validate/keyboard-events C2 endpoint used by the implant to exfiltrate keystroke data over HTTP Threat Actor Account jpeek895 npm account responsible for uploading the primary malicious package npm Account pvnd3540749 Maintainer account linked to the dependent malicious packages npm Account yggedd817513 Maintainer account linked to the dependent malicious packages npm Account jpeek886 Maintainer account linked to the dependent malicious packages IP Address 195.201.194.107 WebSocket C2 server address used by the implant for full machine control Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Dark Web Brokers Repackage Old Breaches as Fresh Corporate Data Leaks P2PInfect Botnet Compromises Kubernetes Clusters Through Exposed Redis Instances Critical Marimo Security Vulnerability Enables Remote Code Execution Attacks Hackers Actively Exploiting Critical NGINX RCE Vulnerability in the Wild UAC-0184 Malware Chain Uses bitsadmin and HTA Files for Gated Payload Delivery Latest News Cyber Security News Hackers Can Weaponize Lenovo Driver to Terminate EDR Processes Cyber Security News Mini Shai-Hulud Attack Forces npm to Reset Bypass-2FA Publishing Tokens Cyber Security News Discord Announces End-to-End Encryption by Default for Video and Voice Messages Cyber Attack News Megalodon Malware Compromised 5,500+ GitHub Repos Within 6 Hours Cyber Security News Hackers Use Fake Microsoft Teams Downloads to Deploy ValleyRAT Malware
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 22, 2026
    Archived
    May 22, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗