Hijack in the Cloud: How NPM Malware Weaponized Hugging Face as a Data Heist Hub

By the time you finish reading this, your clipboard, keystrokes, and secrets could already be sitting in an attacker’s AI dataset. The open-source ecosystem just suffered its latest - and perhaps most audacious - betrayal: a popular NPM package has stealthily transformed Hugging Face, the darling of the machine learning world, into a dark web backend for cybercriminals.

Inside the Supply Chain Sabotage

The attack originated with js-logger-pack, an NPM package masquerading as a benign logging utility. But beneath its innocent surface, a cleverly hidden postinstall script executes a secondary payload (print.cjs), which silently launches a platform-specific malware downloader. This downloader fetches its next-stage binaries not from some sketchy server, but from the reputable Hugging Face platform, specifically from datasets under the attacker’s control.

Previously, Hugging Face had been abused merely as a malware hosting CDN. Now, attackers have escalated: it’s a two-way street. Not only are victims’ systems infected with cross-platform implants, but the stolen data - keystrokes, clipboard contents, credentials, sensitive files - are quietly uploaded back to Hugging Face, exploiting its generous infrastructure for storage and command-and-control (C2) operations. This move allows attackers to sidestep the usual C2 bottlenecks and detection techniques, embedding their operations in legitimate AI traffic.

Technical analysis by JFrog Security revealed that the same malicious JavaScript bundle is injected into four different Node.js SEA containers, covering all major OSes and architectures. The result? A single campaign with near-universal reach, hiding in plain sight within the open-source supply chain. Even the binaries’ telltale strings are mismatched, since the cross-platform code ships everywhere.

For defenders, the implications are chilling. Any developer or CI/CD pipeline that installed js-logger-pack could now be leaking secrets directly to a data repository camouflaged as an innocent AI project. Standard detection tools may miss the threat, as it blends the lines between legitimate data science activity and criminal exfiltration.

What Now? Defending Against the Invisible Data Drain

Immediate response is paramount: rotate all secrets, kill any persistence mechanisms, and purge infected modules. Extra caution is advised - disable NPM scripts and audit dependencies thoroughly. This incident is a sobering reminder: even the most trusted platforms can be weaponized, and the line between innovation and exploitation is thinner than ever.

WIKICROOK

• NPM: A widely used package manager for JavaScript, enabling code sharing and reuse.
• Hugging Face: An AI platform known for hosting machine learning models and datasets.
• Cross-platform implant: Malware designed to operate on multiple operating systems with the same codebase.
• Exfiltration: The unauthorized transfer of data from a victim’s system to an attacker’s infrastructure.
• Single Executable Application (SEA): A format that bundles a Node.js runtime and application code into one binary for easy deployment.

Conclusion: The supply chain threat landscape just evolved - your next AI dataset might not just train models, but train attackers how to steal your world. Vigilance in open-source hygiene is no longer optional; it’s survival.