North Korea’s AI Poison: Hugging Face Weaponized in Devastating npm Supply Chain Attack + Video

Listen to this Post

Featured Image

Introduction

A newly discovered supply chain attack has weaponized the AI community’s most trusted platform, Hugging Face, transforming it into a malware delivery network and clandestine data exfiltration channel. Orchestrated by a North Korean (DPRK)-linked threat actor, this sophisticated campaign exploits the npm ecosystem through deceptive logging utility packages, marking a dangerous evolution in how nation-state actors bypass enterprise security controls.

Learning Objectives

  • Attack Vector Analysis: Understand how a multi-stage supply chain attack uses `postinstall` hooks to deploy malware via legitimate platforms.
  • IoC Identification & Mitigation: Learn to detect malicious npm packages (terminal-logger-utils, pretty-logger-utils, ts-logger-pack, pinno-loggers) and remove associated persistence mechanisms.
  • Platform Abuse Detection: Identify indicators of “living-off-trusted-services” where Hugging Face is used for payload hosting and data exfiltration.

You Should Know

  1. Anatomy of a Phantom Logger: How the Malware Operates
    The attack circumvents traditional detection by disguising malware as routine development tools. The primary malicious package, terminal-logger-utils, along with its dependents (pretty-logger-utils, ts-logger-pack, and pinno-loggers), masquerade as benign logging utilities. However, they contain a dangerous `postinstall` script embedded in their package.json. When a developer runs npm install, this hook silently executes an obfuscated file named utils.cjs. This dropper checks the victim’s operating system and fetches the appropriate second-stage binary from a private Hugging Face repository operated by the attacker (e.g., “Lordplay/system-releases”).

Technical Breakdown & Hands-on Detection:

The `postinstall` Hook: The trigger resides in the `package.json` file of the malicious package.

// Malicious package.json snippet
{
"name": "terminal-logger-utils",
"version": "1.1.0",
"scripts": {
"postinstall": "node utils.cjs" // <-- The malicious entry point
}
}

Manual Detection & Cleanup:

To identify if your system is compromised, check for rogue npm processes and network connections.

Linux/macOS:

 Check for running Node.js processes initiated by the malicious package
ps aux | grep -E "terminal-logger-utils|utils.cjs"

Investigate outbound connections to Hugging Face
sudo lsof -i | grep huggingface
netstat -anp | grep :443 | grep ESTABLISHED

Windows (PowerShell as Administrator):

 Find Node.js processes
Get-Process -Name "node" | Select-Object -Property Id, ProcessName, StartTime

Check network connections to Hugging Face
netstat -ano | findstr "443"
 Match the PID with the processes found above

Hunting for the Dropper: Search for the execution of the dropper script.

 Linux/macOS
find / -name "utils.cjs" 2>/dev/null | xargs grep -l "postinstall"
 Windows
Get-ChildItem -Path C:\ -Filter "utils.cjs" -Recurse -ErrorAction SilentlyContinue

2. Exploiting Trust: Hugging Face as Covert Infrastructure

The operation’s sophistication lies in its use of Hugging Face, a platform universally allowlisted by enterprise security tools as benign AI research infrastructure. By hosting the second-stage malware binary on Hugging Face, the attacker ensures that the payload download blends seamlessly with normal traffic, evading traditional Network Detection and Response (NDR) systems. Furthermore, the implant exfiltrates stolen data—including SSH keys, cloud credentials (AWS, GCP, Azure), and crypto wallets—back to private Hugging Face datasets via the platform’s API, rendering the exfiltration invisible to most data loss prevention (DLP) tools.

Step-by-Step Guide to Countering This Tactic:

  1. Network Traffic Inspection: Since standard blocklists are ineffective, implement deep packet inspection for traffic to huggingface.co.
  2. Implement Allowlisting with Behavioral Analysis: Create firewall rules that permit Hugging Face API access only for known, sanctioned projects.
    Linux (iptables)
    iptables -A OUTPUT -p tcp --dport 443 -d huggingface.co -j LOG --log-prefix "HUGGING_FACE_TRAFFIC: "
    iptables -A OUTPUT -p tcp --dport 443 -d huggingface.co -m owner --uid-owner <sanctioned_uid> -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 443 -d huggingface.co -j DROP
    
  3. eBPF Monitoring: For advanced Linux environments, use eBPF to detect anomalous high-volume data uploads to AI platforms.
    Monitor write throughput to external APIs (conceptual)
    bpftrace -e 'kprobe:tcp_sendmsg /comm == "node"/ { @bytes = sum(arg2); }'
    

3. The Implant’s Arsenal: Keylogging, RAT, and Persistence

The second-stage binary, a Node.js Single Executable Application, establishes a cross-platform implant combining keylogging, infostealing, and Remote Access Trojan (RAT) capabilities. It establishes persistence by creating a hidden directory (%LOCALAPPDATA%\MicrosoftSystem64 on Windows) and registering a scheduled task or VBS launcher to survive reboots. A parallel collection loop continuously logs keystrokes, polls clipboard data, and specifically tracks password field input (pwdKeyString), exfiltrating this data via HTTP POST requests disguised as API calls. It then establishes a WebSocket connection to the attacker’s server for full remote control, enabling file manipulation, shell command execution, and screen capture.

Step-by-Step Guide to Uncovering and Removing the Implant:

1. Windows Persistence Investigation:

 Check for the specific malicious scheduled task
Get-ScheduledTask | Where-Object {$_.TaskName -like "MicrosoftSystem64"}
 Check the registry Run key for fallback persistence
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"

2. Unix-based Systems (Linux/macOS):

 Check for crontab persistence
crontab -l | grep -i "node|terminal-logger"
 Check systemd services
systemctl list-unit-files | grep -i "node|logger"

3. Process and Connection Cleanup:

 Windows: Terminate malicious process and delete persistence
Stop-Process -Id <Malicious_PID> -Force
schtasks /Delete /TN "\MicrosoftSystem64" /F
 Linux: Kill the process and remove its directory
sudo kill -9 <Malicious_PID>
sudo rm -rf ~/.local/share/MicrosoftSystem64
  1. Attacking the Developer Supply Chain: The Dependency Confusion Technique
    The attackers orchestrated a classic yet effective supply chain compromise. By creating the primary malicious package (terminal-logger-utils) and three dependent packages (pretty-logger-utils, ts-logger-pack, pinno-loggers) that imported it, they maximized infection vectors. Developers or automated build systems unknowingly installing any of these plausible-named packages triggered the payload via the `postinstall` script of the primary package. This tactic, known as dependency confusion or dependency hijacking, preys on the trust placed in transitive dependencies, a critical vulnerability in modern open-source ecosystems.

Step-by-Step Guide to Securing Your npm Pipeline:

Preventative Controls in CI/CD:

 In CI pipelines, use npm ci instead of npm install
npm ci
 Run security audit before build
npm audit --audit-level=high
 Use a private npm registry proxy (e.g., Verdaccio, JFrog) to vet packages

Immediate Remediation Actions (Recommended by OX Security):

  1. Remove Malware: Identify and uninstall the malicious packages.
    npm uninstall terminal-logger-utils pretty-logger-utils ts-logger-pack pinno-loggers
    
  2. Check for Compromise Indicators: Search for network requests to the attackers’ Hugging Face repositories and C2 servers.
  3. Rotate Credentials: Immediately rotate all SSH keys, cloud API keys (AWS, GCP, Azure), and browser-stored passwords.
  4. Enforce 2FA: Enable and enforce multi-factor authentication for all developer and cloud accounts.

5. Threat Actor Attribution and Geographic Targeting

OX Security researchers traced the campaign to the npm account jpeek895, a handler previously documented on `kmsec.uk` for uploading DPRK-linked npm malware. The specific targeting—SSH keys, cloud credentials, and cryptocurrency wallets—aligns with North Korea’s strategic cyber objectives of generating revenue and infiltrating corporate infrastructure. This attack underscores a pivot from merely deploying ransomware to establishing long-term persistence on the machines of developers, who serve as high-value bridges to production environments and core intellectual property.

6. Cloud Hardening Against Exfiltration

Given the implant’s targeting of cloud configuration files (~/.aws/credentials, ~/.config/gcloud/), immediate cloud environment hardening is critical.

Step-by-Step Guide to Mitigating Cloud Access Token Theft:

  1. Use Temporary Credentials: Avoid long-lived access keys. Enforce the use of AWS IAM Roles or Azure Managed Identities with short-lived tokens.

2. Detect Anomalous API Calls:

 AWS CloudTrail example: Search for API calls from unapproved geolocations or instances
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=GetSecretValue

3. Implement Network Policies: Block access to metadata endpoints from untrusted processes.

 Linux iptables rule to block unauthorized access to AWS metadata service
iptables -A OUTPUT -d 169.254.169.254 -j DROP

4. Continuous Monitoring: Set up alerts for the creation of new Hugging Face datasets or unusual data upload volumes from developer endpoints using a SIEM (e.g., Splunk, ELK) or an EDR solution.

What Undercode Say:

  • The New Frontier of Abuse: This marks a decisive shift where threat actors no longer rely on obscure or malicious domains, but instead actively weaponize the trust placed in legitimate, high-traffic platforms like Hugging Face.
  • Developer Trust is a Liability: The campaign’s success is a stark reminder that implicit trust in open-source dependencies and `postinstall` hooks is a major security gap. Proactive security hygiene, including software composition analysis (SCA) and strict dependency management, is no longer optional.

The exploitation of Hugging Face for both malware staging and data exfiltration represents a new class of “living-off-the-land” (LotL) attacks in the AI supply chain. By abusing a platform that is universally trusted and allowlisted, attackers have rendered traditional domain-based blocklisting and reputation checks obsolete. This technique is likely to be rapidly adopted by other cybercriminal groups.

Prediction:

This attack is a prelude to a broader wave of “platform-hopping” campaigns. As AI platforms become the new cloud, their enterprise trust will be systematically exploited. Future attacks will evolve to use AI model `pickle` files or ChatGPT plugins to deliver similar multi-stage implants, making binary analysis exponentially harder. Expect a surge in malicious models on Hugging Face designed to evade detection through steganography, turning the platform into a sprawling, unregulated malware repository. Consequently, we will see the emergence of specialized security tools for AI supply chains, akin to SCA tools for code, as organizations grapple with the new reality that their most innovative assets are also the new primary attack vector.

▶️ Related Video (82% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Mayura Kathiresh – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky