- Microsoft flagged two malicious npm packages abusing Hugging Face APIs.
- The packages deployed a RAT to steal keystrokes, screenshots, and wallet data.
- The incident highlights ongoing npm supply chain risks targeting crypto users.
On June 3, 2026, Microsoft Threat Intelligence reported that two compromised npm packages were deploying a remote access trojan (RAT) to steal keystrokes, screenshots, and crypto wallet credentials while abusing Hugging Face repositories (repos) for data exfiltration.
Microsoft Flags Two Malicious npm Packages
Microsoft Threat Intelligence has identified two malicious npm packages, [email protected] and [email protected], that were compromised or published with malicious intent. These packages deploy a RAT that can capture keystrokes, take screenshots, and steal cryptocurrency wallet credentials.
The packages abuse Hugging Face repositories as exfiltration infrastructure, blending malicious traffic with legitimate machine learning workloads to evade detection. The packages were published by npm user hexalpha10 (author: toskypi).
How the RAT Steals Wallet Credentials
When developers or build pipelines install the compromised npm packages, the packages silently deploy a full-featured RAT. The RAT is designed to run in the background and actively steal sensitive information. It achieves this by monitoring user activity on infected systems, capturing input that often includes wallet passwords, seed phrases, or private keys, and extracting stored credentials from popular crypto wallet applications and browser extensions.
To maintain long-term access, the malware establishes persistence immediately after installation using platform-specific methods:
- On Windows: It creates a Run key at HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftSystem64 and sets up a scheduled task named MicrosoftSystem64.
- On Linux: It installs a systemd service called MicrosoftSystem64.service.
The payload is dropped into a dedicated directory (MicrosoftSystem64/payload.js), allowing the RAT to operate independently of the original npm package. The RAT uses two command-and-control (C2) servers, 195.201.194.107:8010 (WebSocket) and c2-toskypi.onrender.com (HTTP), and cleverly exfiltrates stolen data by abusing legitimate Hugging Face repositories as its data exfiltration endpoint (huggingface.co/api).
Evolving AI-Powered Supply Chain Threats
The discovery of the malicious npm packages marks another stark reminder of how quickly software supply chain attacks are evolving, particularly those that weaponize trusted AI infrastructure like Hugging Face for stealthy operations.
The immediate impact is clear as developers and organizations relying on npm dependencies now face heightened risk of credential theft and long-term compromise, especially in environments handling cryptocurrency or sensitive developer tokens. Standard security tools that whitelist Hugging Face traffic as “benign ML activity” can no longer be trusted without additional context.
Looking ahead, Microsoft Threat Intelligence urges defenders to treat any unexpected traffic to huggingface.co/api from non-ML workloads may indicate compromise. This campaign highlights increasingly sophisticated AI-enabled malware and drives a shift toward behavior-based detection, continuous outbound API monitoring, hardened npm supply chain controls, and zero-trust validation of open-source dependencies.
Related: TrapDoor Malware Campaign Targets Aptos, Solana, and Sui Developer Ecosystems
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
