MicrosoftSystem64 Malware Hides Stolen Data Inside HuggingFace

A newly discovered piece of malware called MicrosoftSystem64 has been stealing browser passwords, crypto wallets and SSH keys from developers and shipping the loot out through HuggingFace, the AI platform that data scientists trust for hosting models and datasets. Supply chain security firm SafeDep flagged the second-stage payload on April 15, JFrog Security Research confirmed the same campaign about a week later, and the operation was still running live on May 28, with researchers watching real victims in near real time.

What makes the campaign hard to stop is the delivery route. By piping stolen files into private datasets on a service nearly every corporate firewall already trusts, the operators turned a mainstream AI platform into an invisible drop box that blends in with the authenticated web traffic security teams see all day.

How MicrosoftSystem64 Turns HuggingFace Into a Mailbox

Most data-stealing malware phones home to a private server the attacker controls. That server is the weak link: defenders can block its address, and the connection often looks odd enough to trip an alert. This campaign skips that step entirely.

Instead, the trojan uploads everything it grabs to private datasets on the attacker’s HuggingFace account using the platform’s own application programming interface (API, the standard way software talks to a service). Every outbound transfer reads as an ordinary, authenticated HTTPS request to a well-known machine-learning site, exactly the kind of traffic that exfiltration over a trusted web service is designed to hide inside.

Each victim gets a dedicated set of private datasets, organized by machine identity and by data type: one bucket for screenshots, one for credentials, one for SSH keys. The malware also checks the same platform for a newer build every 24 hours and swaps out its own file when one is posted, so the operators can patch and upgrade their implant the way a normal app pushes updates.

SafeDep’s live probe on May 28 found the embedded upload token still valid, the command server still answering, and more than 400 screenshots already pulled from two real victims being surveilled in near real time. Full technical findings are in the firm’s teardown of the MicrosoftSystem64 binary payload.

Why Trusted AI Platforms Are the New Exfiltration Highway

This is the part most coverage skims past. The clever exfiltration trick is not a one-off. It fits a pattern that has been building across the AI tooling world for more than a year, and MicrosoftSystem64 is its sharpest example so far.

In February 2025, ReversingLabs documented malicious machine-learning models hosted on the same platform that slipped past its scanners using broken pickle files. Since then, researchers have logged fake OpenAI repositories pushing infostealers, trojanized models hitting trending charts with hundreds of thousands of downloads, and loaders that fetch their next stage from AI model hubs. The platform keeps showing up because it works for attackers.

The logic is simple and ugly. AI platforms carry a halo of trust, they sit on allowlists across enterprise networks, and their API traffic looks identical whether you are downloading a language model or uploading a folder of stolen keystrokes. JFrog’s analysts captured why that matters in their breakdown of the HuggingFace exfiltration backend: the same infrastructure now serves as both the malware download network and the place to dump what it steals.

For defenders, that collapses two old assumptions. You can no longer treat a connection to a reputable AI domain as automatically benign, and you can no longer count on spotting a strange new server in the logs, because there is no strange new server.

What the Trojan Lifts From an Infected Machine

Under the hood, MicrosoftSystem64 is a remote access trojan (RAT, malware that gives an attacker hands-on control of a machine) with an unusually wide reach. It runs on Windows, Linux and macOS from a single 81 MB binary that needs no extra software pre-installed, and it answers to 24 separate remote commands.

On a compromised developer box, the implant goes after:

• Saved credentials from 15 browser families
• Data from more than 80 cryptocurrency wallet extensions
• Hijacked Telegram Desktop sessions
• SSH keys used to reach servers and code repositories
• A continuous keylogger capturing what the victim types
• A fresh screenshot every 60 seconds, uploaded as encoded image data

That mix is built for two payoffs at once: draining crypto and stealing the keys to a developer’s wider environment. SSH keys and browser sessions are the entry points to source code, cloud consoles and build pipelines, which is how a single infected laptop can become the first step into a company.

From a Poisoned npm Package to System-Wide Persistence

The infection does not start with HuggingFace at all. It starts in the open-source supply chain, with packages dressed up as routine developer tools on the public registry.

The npm Dropper Chain

The lead package, js-logger-pack, evolved through 29 versions in early April 2026, mutating from a harmless-looking probe into a WebSocket stealer and finally a binary dropper. Once installed, it quietly downloads and runs the second-stage implant. SafeDep and JFrog tied several sibling packages to the same operator, including terminal-logger-utils (obfuscated with RC4 and XOR encryption), ts-logger-pack, pretty-logger-utils and pinno-loggers, published across rotated accounts on the npm public registry.

Digging In Across Three Operating Systems

Once it lands, the malware uses each platform’s native tools to survive a reboot and labels its own process to mimic a genuine Microsoft background service. The persistence map looks like this:

If the connection drops, the implant reconnects to its command server over WebSocket and automatically retries any failed uploads, so a brief network outage costs the operators nothing. That command server sits at a Hetzner-hosted address in Germany and receives a notification each time a HuggingFace upload completes, stitching the legitimate platform and the private infrastructure into one workflow.

The North Korea Link and Contagious Interview’s Developer Hunt

Attribution points to Contagious Interview, a North Korea-aligned threat cluster also tracked as DeceptiveDevelopment and FAMOUS CHOLLIMA, and cataloged by MITRE as threat group G1052. The group’s signature is hunting developers, especially in crypto and Web3, through fake recruiters and trojanized coding assignments.

The scale of that operation dwarfs this single campaign. Researchers at Socket have linked more than 1,700 malicious packages to the activity since January 2025, spread across npm, PyPI, Go and other ecosystems. The crew rotates publisher identities constantly; in this case investigators tracked clusters tied to the handles jpeek and toskypi, plus a chain of throwaway accounts feeding the same back-end.

The payoff is real money. Earlier 2026 waves from DPRK-linked operators exfiltrated wallet keys controlling millions in crypto. A developer who unpacks a fake interview assignment is not just risking their own machine; they are handing over a foothold into whatever code, infrastructure and funds that machine can touch.

What Developers Should Do Right Now

If you installed anything from the jpeek or toskypi package clusters, treat the machine as compromised and move fast. The recommended response is direct:

1. Scan every project’s dependency tree for the named packages and any others from the same publisher accounts.
2. Isolate affected machines from the network before doing anything else.
3. Rotate all credentials, API tokens and SSH keys that the machine ever held.
4. Move crypto out of any wallet whose seed phrase or extension touched the device, then retire those seed phrases.
5. Hunt for the persistence artifacts in the table above and remove the install directory on each platform.

Beyond the cleanup, the lasting fix is treating package installs as code execution, because that is what they are. The same caution applies to anything pulled from an AI model hub; HuggingFace publishes guidance on verifying hosted content and scanning for unsafe files, and pickle-format models still warrant the same suspicion as an unknown executable.

If the operators keep their token alive and HuggingFace removals stay slower than the attacker’s 24-hour update cycle, the campaign will keep harvesting data straight through the tools meant to catch it; if takedowns and dependency scanning finally outpace the rotation, this becomes the case study that pushes AI platform traffic onto every defender’s watch list.

Frequently Asked Questions

What is MicrosoftSystem64 malware?

MicrosoftSystem64 is a cross-platform remote access trojan that steals browser credentials, crypto wallet data, SSH keys, Telegram sessions, keystrokes and screenshots from infected machines. It disguises its process as a legitimate Microsoft service and uploads stolen data to private HuggingFace datasets, which makes its traffic look like normal requests to a trusted AI platform.

Which npm packages are linked to this campaign?

The main dropper is js-logger-pack, which delivers the malware from version 1.1.22 onward. Related packages include terminal-logger-utils, ts-logger-pack, pretty-logger-utils and pinno-loggers, published across rotated accounts in the jpeek and toskypi clusters.

How do I know if my machine is infected?

Check for a process or install folder named MicrosoftSystem64 in the per-platform directories, a scheduled task or Run registry key on Windows, a LaunchAgent on macOS, or a systemd user service and autostart entry on Linux. Outbound connections to a Hetzner-hosted server in Germany on port 8010 are another red flag. If you installed any of the listed packages, assume compromise.

Is HuggingFace itself hacked?

No. The platform was not breached. The attackers created their own accounts and used the standard upload API to store stolen data in private datasets, abusing the service’s trusted reputation rather than any vulnerability in it.

What should I do if I installed an affected package?

Isolate the machine immediately, then rotate every credential, API token and SSH key it held and move funds out of any exposed crypto wallet before retiring its seed phrase. Remove the malware’s install directory and persistence entries, and rebuild the machine if you can rather than trusting a cleanup.

Who is behind the attack?

Researchers attribute the campaign to Contagious Interview, a North Korea-aligned group also tracked as DeceptiveDevelopment and FAMOUS CHOLLIMA, known for targeting developers through fake job interviews and poisoned open-source packages.