Back

MicrosoftSystem64 Malware Exploits Hugging Face for Data Theft

Severity: High (Score: 64.5)

Sources: Gbhackers, Cybersecuritynews

Published: 2026-05-29 · Updated: 2026-05-29

Keywords: malware, microsoftsystem64, data, huggingface, stealthy, uses, datasets

Severity indicators: data exfiltration, exfiltration, malware, rat

Summary

A sophisticated malware named MicrosoftSystem64 has been identified, leveraging Hugging Face datasets for data exfiltration. This malware, which masquerades as a legitimate Microsoft process, has been active since early April 2026 and has undergone 29 version updates, evolving from a benign logging tool into a potent information stealer and remote access Trojan. The attack primarily targets the npm ecosystem, affecting numerous developers and organizations that utilize these packages. The malware's stealthy operation makes it difficult for security tools to detect, raising concerns about its potential widespread impact. Current mitigation efforts are ongoing, but specific details on remediation are limited. Security professionals are advised to monitor their systems for unusual activities related to npm packages. Key Points: • MicrosoftSystem64 malware disguises itself as a legitimate Microsoft process. • The malware exploits Hugging Face datasets for stealthy data exfiltration. • 29 versions of the malware have been released since early April 2026.

Detailed Analysis

**Impact** The malware targets users of the npm ecosystem, affecting developers and organizations relying on JavaScript packages globally. It has evolved into a cross-platform information stealer and remote access Trojan, risking sensitive data theft from infected systems. The malware’s disguise as a Microsoft process increases the likelihood of evading detection, potentially impacting multiple sectors that use Microsoft software and AI development tools. **Technical Details** The attack vector is a supply chain compromise via the malicious npm package js-logger-pack, which underwent 29 incremental versions since April 2026. The malware uses Hugging Face’s AI platform to stealthily exfiltrate stolen data, leveraging legitimate infrastructure to avoid detection. No CVEs or specific IOCs were provided in the articles. **Recommended Response** Defenders should immediately audit and restrict npm package usage, especially js-logger-pack, and monitor network traffic for unusual connections to Hugging Face domains. Endpoint detection rules should focus on processes masquerading as Microsoft system components. No patch information is available; continuous monitoring for anomalous data exfiltration through AI platforms is advised.

Source articles (2)

  • MicrosoftSystem64 Malware Abuses Hugging Face for Stealthy Data Theft — Gbhackers · 2026-05-29
    A sophisticated supply chain attack targeting the npm ecosystem has been uncovered, involving a malicious package named js-logger-pack that evolved into a powerful cross-platform malware loader. First…
  • MicrosoftSystem64 Malware Uses HuggingFace Datasets for Stealthy Data Exfiltration — Cybersecuritynews · 2026-05-29
    A newly discovered malware called MicrosoftSystem64 has been quietly stealing data from infected computers by routing stolen files through HuggingFace, the popular AI platform used by researchers and…

Timeline

  • 2026-04-01 — MicrosoftSystem64 first observed: The malware was first detected in the npm ecosystem, evolving from a benign logging utility.
  • 2026-05-29 — Malware details published: Reports detail the malware's use of Hugging Face for data theft and its stealthy operation.

Related entities

  • Malware (Attack Type)
  • Supply Chain Attack (Attack Type)
  • Trojan (Attack Type)
  • Js-logger-pack (Malware)
  • MicrosoftSystem64 (Malware)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • Hugging Face (Tool)
  • Npm (Tool)
  • HuggingFace (Company)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed