malware npm
js-logger-pack
discovered 2026-04-15js-logger-pack is a malicious npm package (29 versions, 2026-04-01 to 2026-04-20) that evolved from an SSH backdoor and infostealer into a binary dropper for MicrosoftSystem64, an 81 MB Node.js SEA RAT with 24 remote tasks covering browser credential theft (15 families), 80+ crypto wallet extensions, keylogging, clipboard monitoring, screenshot capture to HuggingFace, Telegram session hijack, SSH key exfiltration, and remote shell access. Attributed to DPRK Famous Chollima / Contagious Interview via jpeek868 account linkage. OSV: MAL-2026-2827 / GHSA-mj89-jrhm-qxhc.
Threat types
credential_stealer crypto_drainer data_exfiltration persistence c2_agent
Malicious versions
- 0.0.1
- 1.0.0
- 1.1.0
- 1.1.2
- 1.1.4
- 1.1.5
- 1.1.6
- 1.1.7
- 1.1.8
- 1.1.9
- 1.1.10
- 1.1.14
- 1.1.17
- 1.1.18
- 1.1.19
- 1.1.20
- 1.1.21
- 1.1.22
- 1.1.23
- 1.1.24
- 1.1.25
- 1.1.26
Campaigns
Indicators
- domain api-sub.jrodacooker.devcommunicates-with
- domain huggingface.cocommunicates-with
- ipv4 195.201.194.107communicates-with
- sha256 a49eee6b6db9da14db46587b68bf1d8a80976812f629bf3e100ac6ba83cf8490indicates
- sha256 6ce3b22b07fd5aef1dd77237334d80718601e4e02a706485572d3dda8993a4e3indicates
- sha256 571533a643e67c38087f4da8cce0d3dc14670a52403717e4943433d392860a7findicates
- sha256 585c5ab1fea06bed4956e34ffd6d6b576122addd34d252b163ae0801098e9eafindicates
- sha256 9f0a7174f9537bdbf63fe2329cea9a14198076180390af9f43a0e5b5c7c46912indicates
- sha256 e35801137cd09fa02aa996145d18ec68d67d71db9810f2608a6285ee1c08b054indicates
- sha256 df45bbac7695f0edad3edde36904f2722f2af761887744a2f1d65df705d28dc6indicates
- sha256 43c93c609d48b6cb4f1275c285b5e6960ef74e7f5811b442e3c1038d49128d73indicates
- domain copilot-ai.whisdev.orgcommunicates-with
- sha256 b2954c945b51dbd6fa88ac72338b7fbf76dec7d9909ceada9d36b21330842c97drops
- url https://huggingface.co/jpeek998/system-releases/resolve/maincommunicates-with
- url https://huggingface.co/Lordplay/system-releasescommunicates-with
- email jpeek868@gmail.comindicates
- file_path ~/.local/share/MicrosoftSystem64uses
- file_path ~/.pcl-state/uploads.jsonuses
- email tosky.pi1016@gmail.comindicates
- url https://huggingface.co/jpeek998/linux_doc_75a5ffec36caexfiltrates-to
Techniques
- ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
- ttp T1041 Exfiltration Over C2 Channeluses
- ttp T1552.004 Unsecured Credentials: Private Keysuses
- ttp T1539 Steal Web Session Cookieuses
- ttp T1105 Ingress Tool Transferuses
- ttp T1071.001 Application Layer Protocol: Web Protocolsuses
- ttp T1102 Web Serviceuses
- ttp T1546 Event Triggered Executionuses
- ttp T1195.002 Compromise Software Supply Chainuses
- ttp T1555.003 Credentials from Password Stores: Web Browsersuses
- ttp T1056.001 Input Capture: Keylogginguses
- ttp T1115 Clipboard Datauses
- ttp T1113 Screen Captureuses
- ttp T1567.001 Exfiltration to Code Repositoryuses
- ttp T1053.005 Scheduled Task/Job: Scheduled Taskuses
- ttp T1543.004 Create or Modify System Process: Launch Daemonuses
- ttp T1543.002 Create or Modify System Process: Systemd Serviceuses
- ttp T1059.004 Command and Scripting Interpreter: Unix Shelluses
- ttp Node.js Single Executable Application Packaginguses
- ttp T1027.013 Obfuscated Files or Information: Encrypted/Encoded Fileuses
- ttp T1078.001 Valid Accounts: Default Accountsuses
