Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Hugging Face Exploited in North Korean Malware Attack

Hugging Face Exploited in North Korean Malware Attack

Posted on May 22, 2026 By CWS

Hackers Exploit Hugging Face in Supply Chain Attack

Hackers have discovered a new method to exploit Hugging Face, a prominent platform in the AI community, to distribute malware. Linked to North Korea, these threat actors have embedded second-stage malware within Hugging Face, transforming it into a vehicle for a sophisticated npm supply chain attack. The attack, which affects software developers globally, cleverly uses Hugging Face as a malware delivery channel and a conduit for data exfiltration.

Initial Attack Vector and Malicious Packages

The attack originated with an npm package named “terminal-logger-utils,” masquerading as a standard development tool. This package was part of a larger scheme involving three additional packages: pretty-logger-utils, ts-logger-pack, and pinno-loggers. These packages propagated the malicious code further, putting any developer who installed them at significant risk. The malware was designed to steal sensitive data such as Telegram information, SSH keys, cryptocurrency wallets, and more.

Security researchers at OX Security identified these malicious packages and linked them to known North Korean cyber operations. The threat actor, operating under the npm account “jpeek895,” had been previously identified for similar activities. The malicious package exhibited keylogger, infostealer, and remote access trojan (RAT) capabilities, making it a particularly dangerous threat.

Hugging Face as a Concealed Malware Host

One of the standout features of this attack is the strategic use of Hugging Face to avoid detection. Instead of hosting malware on suspicious servers, the attackers used Hugging Face’s trusted platform to host the second-stage binary. This tactic allowed malicious traffic to blend seamlessly with regular AI research activities, thus evading security checks.

Stolen data was uploaded to private datasets on Hugging Face, further concealing the malicious activity. The npm maintainer accounts related to the dependent packages played a critical role in spreading the infection. Developers who interacted with these packages are urged to check their environments for compromise.

Technical Details and Security Measures

The malware initiates its attack through a postinstall hook in the package.json file. When a developer executes npm install, the hook triggers a file called utils.cjs, an obfuscated malware dropper that fetches the appropriate binary from Hugging Face based on the victim’s operating system. This binary, a Node.js Single Executable Application, allows the attacker full control over the compromised machine.

Once installed, the malware establishes persistence on Windows systems by creating a hidden VBS launcher and a scheduled task, while also setting a registry Run key as a backup. The malware is capable of self-updating by connecting to the attacker’s Hugging Face repository, allowing for seamless updates without reinfection.

Security teams are advised to immediately remove the malware, block network requests to known indicators of compromise, and enforce full key rotation with two-factor authentication. Developers should treat unfamiliar postinstall scripts with caution and prefer secure lockfile-driven installations in CI environments.

Cyber Security News Tags:AI platforms, Cybersecurity, data exfiltration, Hugging Face, InfoStealer, Keylogger, malware attack, North Korea, NPM, npm packages, remote access trojan, security threat, software developers, supply chain attack

Post navigation

Previous Post: Canadian Accused of Running Major DDoS Botnet
Next Post: Megalodon Campaign Targets Thousands of GitHub Repositories

Related Posts

Critical Flaw in Synology DSM Risks Remote Exploitation Critical Flaw in Synology DSM Risks Remote Exploitation Cyber Security News
OpenVPN Driver Vulnerability Let Attackers to Crash Windows Systems OpenVPN Driver Vulnerability Let Attackers to Crash Windows Systems Cyber Security News
Researchers Bypassed Web Application Firewall With JS Injection with Parameter Pollution Researchers Bypassed Web Application Firewall With JS Injection with Parameter Pollution Cyber Security News
Apache Log4j Vulnerability Allow Attackers to Intercept Sensitive Log Data Apache Log4j Vulnerability Allow Attackers to Intercept Sensitive Log Data Cyber Security News
CodeSign Secure v3.02: Future of Code Signing with PQC CodeSign Secure v3.02: Future of Code Signing with PQC Cyber Security News
Critical Flaw in Cisco Secure Workload Exposes APIs Critical Flaw in Cisco Secure Workload Exposes APIs Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • GitLost Flaw Exposes GitHub Repos via AI Workflow
  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed
  • Vulnerability in GCP Dialogflow Enables Malicious Code Injection

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • GitLost Flaw Exposes GitHub Repos via AI Workflow
  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed
  • Vulnerability in GCP Dialogflow Enables Malicious Code Injection

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark