Inside MicrosoftSystem64: A Supply Chain RAT Exfiltrating to HuggingFace
Contents
# Inside MicrosoftSystem64: A Supply Chain RAT Exfiltrating to HuggingFace ## TL;DR In early April 2026, a malicious npm package called `js-logger-pack` began evolving through 29 versions on the registry, progressing from a harmless probe into a full WebSocket stealer and eventually a binary dropper. [SafeDep’s analysis](/malicious-js-logger-pack-npm-stealer) on April 15 first documented this evolution and identified its second-stage payload: a binary called `MicrosoftSystem64`. A week later, [JFrog Research](https://research.jfrog.com/post/hugging-face-exfil/) independently reported the same campaign, highlighting its novel abuse of HuggingFace as a data exfiltration channel. Despite both disclosures, the threat remains fully active over six weeks later: our live infrastructure probe on May 28 confirmed the embedded HuggingFace token was still valid, the C2 server was accepting connections, and real victims were under active surveillance. The token has since been reported to HuggingFace for revocation. `MicrosoftSystem64` itself is an 81 MB stripped ELF binary (with Windows and macOS variants) that packages …