A sophisticated supply chain attack has been uncovered, wherein a malicious npm package named js-logger-pack was used to transform Hugging Face, a popular platform for AI models, into a backend for malware distribution and data exfiltration. This discovery by JFrog Security researchers highlights a disturbing evolution in cyber tactics, leveraging trusted cloud services to conceal illicit activities.
The compromised package, masquerading as a benign logging utility, executed a hidden postinstall script upon installation. This script initiated a background process that downloaded one of four malicious binaries from a Hugging Face repository controlled by the attacker, identified as Lordplay/system-releases. The analysis revealed a single, cross-platform JavaScript bundle embedded within multiple Node.js Single Executable Application (SEA) binaries for Windows, macOS, and Linux, indicating a unified attack strategy.
Hugging Face as the Exfiltration Backend
The operational ingenuity of this attack lies in its novel use of Hugging Face as a clandestine data storage solution. Instead of directing stolen information to traditional command-and-control servers, the attacker orchestrated the upload of sensitive data into private Hugging Face datasets. This strategic move significantly reduces the attacker’s footprint and makes the exfiltration process exceedingly difficult to detect.
Once activated, the implant established persistence across different operating systems using native mechanisms such as scheduled tasks, registry Run keys on Windows, LaunchAgent entries on macOS, and systemd user units on Linux. Following successful persistence, the malware began transmitting system information to a hard-coded command-and-control server located at 195[.]201[.]194[.]107 via WebSocket. This established a live channel for the attacker, enabling them to read and write files, steal credentials, record keystrokes, and monitor clipboard activity, with the capability to deploy additional malicious payloads.
The technical sophistication was further evident in how the implant managed data uploads to Hugging Face. When an upload task was initiated via the C2 server, the implant received a Hugging Face token, a target username, a designated path, and an upload ID. The data to be exfiltrated was compressed into a gzip archive. Subsequently, the implant created or utilized an existing private Hugging Face dataset under the attacker’s purview and uploaded the archive using an integrated Hugging Face hub client. The campaign’s resilience was demonstrated by its ability to track pending uploads in a local state file and resume them upon reconnection, ensuring no data loss even with intermittent network connectivity.
This method provided the attacker with a considerable operational advantage. By outsourcing the storage of stolen content to Hugging Face, the C2 server remained less exposed and traffic patterns were harder to scrutinize. The attacker simply directed the implant to specific Hugging Face accounts they controlled, effectively leveraging the platform’s infrastructure for their illicit purposes. The implant also incorporated a session-clearing feature designed to terminate browser processes and invalidate credentials, forcing users to re-enter their passwords. Any credentials entered thereafter could be swiftly captured by the running keylogger and exfiltrated to the private dataset within minutes.
The implications of this attack extend beyond the immediate compromise of systems. It signals a growing trend of attackers abusing legitimate and widely-used cloud services for malicious ends, complicating detection and response efforts for security professionals. The reliance on platforms like Hugging Face for both malware delivery and data exfiltration blurs the lines between legitimate development infrastructure and criminal operations.
Security experts are urging immediate action for any systems that may have utilized the affected js-logger-pack package, specifically version 1.1.27. The recommended mitigation steps include rotating all sensitive credentials such as AWS keys, SSH keys, npm tokens, database passwords, API keys, and browser-stored credentials. Furthermore, it is crucial to remove all persistence artifacts by deleting the specific scheduled tasks, registry keys, LaunchAgent entries, or systemd units associated with the malware.
Additionally, affected users should purge the malicious package and clear their npm cache. To prevent the automatic execution of postinstall scripts in the future, running `npm config set ignore-scripts true` is advised. A thorough review of all `package.json` dependency changes, including minor patch-level updates, is also recommended to identify any signs of compromise. Any machine confirmed to have run the compromised version of js-logger-pack should be treated as fully compromised until all security measures are implemented.
The ongoing investigation by JFrog Security and other cybersecurity entities will likely focus on identifying the full extent of the compromised Hugging Face repositories and the number of affected users. Future containment strategies may involve tighter security protocols on platforms like Hugging Face to prevent the misuse of their services for cybercrime, and enhanced monitoring by npm to detect similarly disguised malicious packages.