MicrosoftSystem64
MicrosoftSystem64 is a cross-platform remote access trojan and infostealer implemented as an approximately 81 MB Node.js Single Executable Application (SEA) binary for Windows, macOS, and Linux. It was distributed in a software supply-chain campaign through malicious npm packages, initially the js-logger-pack family across 29 versions in April 2026, and later through terminal-logger-utils, ts-logger-pack, pretty-logger-utils, and pinno-loggers in May 2026. In analyzed js-logger-pack samples, the package used a bait-and-switch approach in which a benign-looking logger was presented while a postinstall script executed a downloader that fetched platform-specific MicrosoftSystem64 binaries from the Hugging Face repository Lordplay/system-releases.
Once executed, MicrosoftSystem64 sets its process title to resemble a legitimate Microsoft background service, establishes persistence, and connects to a hard-coded controller over WebSocket and HTTP at 195.201.194.107:8010. Reported persistence mechanisms include a scheduled task and Run key on Windows, a LaunchAgent on macOS, and a systemd user unit or XDG autostart entry on Linux. The malware supports self-update by checking Hugging Face every 24 hours and replacing its binary without signature or checksum validation.
The malware exposes a 24-task remote command surface and supports broad host access and data theft. Reported capabilities include collection of system information; drive and directory listing; arbitrary file read/write/delete and directory creation; recursive file scanning; deployment of additional binaries; browser session clearing; Telegram Desktop session theft; clipboard monitoring; continuous cross-platform keylogging; and screenshot capture every 60 seconds. Keylogging was reported as implemented with SetWindowsHookEx on Windows, CGEventTap on macOS, and evdev or X11-related mechanisms on Linux. MicrosoftSystem64 steals browser credentials, targets credentials from 15 browser families, targets more than 80 cryptocurrency wallet extensions, steals Telegram sessions, and copies SSH keys.
For staging and exfiltration, MicrosoftSystem64 abuses Hugging Face. Public reporting states that binaries were hosted from Lordplay/system-releases, while stolen data was uploaded to private Hugging Face datasets controlled by the attacker, including use of the account jpeek998. The malware can archive requested files, upload them to attacker-controlled private datasets, and resume failed uploads from local state. SafeDep reported confirmed victim activity including 417 screenshots and a 500 MB credential archive exfiltrated from two victims as of 2026-05-28.
The campaign targeted developers through malicious npm packages in the open-source ecosystem. Public reporting cited attribution alignment with FAMOUS CHOLLIMA / Contagious Interview, including infrastructure and identity-anchor overlaps, though attribution remains based on campaign linkage rather than malware-exclusive proof. High-confidence infrastructure directly mentioned in reporting includes ws://195.201.194.107:8010 and associated actor-linked hosts such as api-sub.jrodacooker.dev and log.pricesheet.ink. Reported hashes from JFrog’s analysis include SEA blob SHA-256 46b9522ba2dc757ac00a513dbd98b28babb018eae92347f2cbc3c7a5020872b5 and embedded JavaScript payload SHA-256 1c83019b52be6da9583d28fe934441a74eacef0cd7dbb9d71017122de6fe7cfc.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
MicrosoftSystem64 , a multi-platform Node.js-SEA RAT/infostealer delivered through the npm js-logger-pack family of 29 versions in Apr 2026 and the May 2026 successor packages terminal-logger-utils , ts-logger-pack , pretty-logger-utils , and pinno-loggers .
"Inside MicrosoftSystem64: A Supply Chain RAT Exfiltrating to HuggingFace" published by SafeDep.
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
6 techniques
Execution
Once installed, the malware digs in using the native persistence tools of each platform: scheduled tasks and registry keys on Windows, LaunchAgents on macOS, and systemd services with autostart entries on Linux.
Baseline automatic behavior includes: persisting via scheduled task / Run key (Windows)
Once a developer installs the package, it silently downloads and executes MicrosoftSystem64, an 81 MB binary that runs on Windows, Linux, and macOS without needing any separate software pre-installed.
Persistence
7 techniques
Persistence
Once installed, the malware digs in using the native persistence tools of each platform: scheduled tasks and registry keys on Windows, LaunchAgents on macOS, and systemd services with autostart entries on Linux.
Baseline automatic behavior includes: persisting via scheduled task / Run key (Windows)
Once installed, the malware digs in using the native persistence tools of each platform... and systemd services with autostart entries on Linux.
Persistence — macOS ~/Library/LaunchAgents/com.launchkeeper.MicrosoftSystem64.plist macOS LaunchAgent persistence path
Privilege Escalation
7 techniques
Privilege Escalation
Once installed, the malware digs in using the native persistence tools of each platform: scheduled tasks and registry keys on Windows, LaunchAgents on macOS, and systemd services with autostart entries on Linux.
Baseline automatic behavior includes: persisting via scheduled task / Run key (Windows)
Once installed, the malware digs in using the native persistence tools of each platform... and systemd services with autostart entries on Linux.
Persistence — macOS ~/Library/LaunchAgents/com.launchkeeper.MicrosoftSystem64.plist macOS LaunchAgent persistence path
Stealth
2 techniques
Stealth
Credential Access
4 techniques
Credential Access
Discovery
1 technique
Discovery
Collection
4 techniques
Collection
Command and Control
3 techniques
Command and Control
Exfiltration
2 techniques
Exfiltration
IOCs tracked for this family
39 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Cross-platform remote access trojan delivered via poisoned npm packages that steals browser credentials, cryptocurrency wallet data, Telegram Desktop sessions, SSH keys, keystrokes, and screenshots; persists across Windows, Linux, and macOS; uses HuggingFace for binary hosting, self-updates, and exfiltration; and supports remote command execution.
A remote access trojan referenced in the context of a supply chain campaign, described as exfiltrating data to HuggingFace.
A supply-chain remote access trojan delivered via malicious npm packages. It is described as a Node.js SEA binary that steals browser credentials, cryptocurrency wallet extension data, and Telegram sessions, and exfiltrates data to HuggingFace.
A remote access trojan delivered via malicious npm packages as an 81 MB Node.js SEA binary. It is described as stealing browser credentials, data from more than 80 crypto wallet extensions, and Telegram sessions, and exfiltrating data to HuggingFace.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.