npm

js-logger-pack

js-logger-pack is identified in the SafeDep analysis "Malicious npm Package js-logger-pack Ships a Multi-Platform WebSocket Stealer". js-logger-pack spent three weeks on npm evolving from a probe into a full infostealer and then a binary dropper. Early versions installed an SSH backdoor, hijacked Telegram sessions, drained 27 crypto wallets, and deployed a cross-platform keylogger. After disclosure on April 15, the attacker pivoted to a HuggingFace-hosted binary dropper named MicrosoftSystem64, now at v1.1.26 with 29 total releases.

discovered 2026-04-15

Threat types

credential_stealercrypto_drainerdata_exfiltrationpersistencec2_agent

Malicious versions

0.0.1
1.0.0
1.1.0
1.1.2
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.1.9
1.1.10
1.1.14
1.1.17
1.1.18
1.1.19
1.1.20
1.1.21
1.1.22
1.1.23
1.1.24
1.1.25
1.1.26

Campaigns

No Specific Campaignattributed-to

Indicators

domainapi-sub.jrodacooker.devcommunicates-with
domainhuggingface.cocommunicates-with
ipv4195.201.194.107communicates-with
ipv44.0.0.0communicates-with
sha256a49eee6b6db9da14db46587b68bf1d8a80976812f629bf3e100ac6ba83cf8490indicates
sha2566ce3b22b07fd5aef1dd77237334d80718601e4e02a706485572d3dda8993a4e3indicates
sha256571533a643e67c38087f4da8cce0d3dc14670a52403717e4943433d392860a7findicates
sha256585c5ab1fea06bed4956e34ffd6d6b576122addd34d252b163ae0801098e9eafindicates
sha2569f0a7174f9537bdbf63fe2329cea9a14198076180390af9f43a0e5b5c7c46912indicates
sha256e35801137cd09fa02aa996145d18ec68d67d71db9810f2608a6285ee1c08b054indicates
sha256df45bbac7695f0edad3edde36904f2722f2af761887744a2f1d65df705d28dc6indicates
sha25643c93c609d48b6cb4f1275c285b5e6960ef74e7f5811b442e3c1038d49128d73indicates

Techniques

ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
ttpT1552.001 Unsecured Credentials: Credentials In Filesuses
ttpT1041 Exfiltration Over C2 Channeluses
ttpT1552.004 Unsecured Credentials: Private Keysuses
ttpT1539 Steal Web Session Cookieuses
ttpT1105 Ingress Tool Transferuses
ttpT1071.001 Application Layer Protocol: Web Protocolsuses
ttpT1102 Web Serviceuses
ttpT1546 Event Triggered Executionuses

Read the full analysis →