North Korean Attackers Abuse Hugging Face to Spread Malicious npm Packages

Attack Overview and Initial Infection

A threat actor with ties to North Korea has launched a sophisticated supply chain attack targeting software developers through the npm package ecosystem. The attack starts with a seemingly benign npm package called “terminal-logger-utils” that mimics a routine development utility. Three additional packages, “pretty-logger-utils”, “ts-logger-pack”, and “pinno-loggers,” import and propagate the malicious behavior. When developers install any of these packages, the malware immediately compromises their system.

Contents

Attack Overview and Initial Infection Infrastructure Abuse and Detection Evasion

The installed malware is capable of stealing a wide range of sensitive data, including Telegram session data, SSH private keys, cryptocurrency wallet files, browser login credentials, cloud configuration files, and environment variables from multiple drives. Security researchers at OX Security identified the packages and connected the threat actor to previously documented North Korean campaigns.

Infrastructure Abuse and Detection Evasion

The most distinctive aspect of this attack is how the threat actor weaponized Hugging Face, a trusted platform for AI and machine learning models. Rather than operating their own suspicious command and control servers, the attackers hosted the second stage malware binary on Hugging Face’s infrastructure. This choice makes detection significantly harder because security filters and network monitoring tools commonly whitelist traffic to legitimate platforms like Hugging Face.

Stolen data from compromised developer machines was also exfiltrated to private datasets on Hugging Face, camouflaging malicious activity as routine AI research traffic. This technique allows the attackers to blend into legitimate platform usage and avoid triggering security alerts. The threat actor accounts involved include “jpeek895” (previously flagged for similar DPRK linked activity), “pvnd3540749”, “yggedd817513”, and “jpeek886”. Any developer who installed these packages during the active period should assume their environment is compromised and take immediate remediation steps.

Source: Cyber Security News

North Korean Attackers Abuse Hugging Face to Spread Malicious npm Packages

A North Korean linked threat actor uses Hugging Face's trusted platform to host malware and exfiltrate stolen data from developer machines infected through malicious npm packages.

Attack Overview and Initial Infection

Infrastructure Abuse and Detection Evasion

Trending

Trend Micro Apex One Directory Traversal Flaw Actively Exploited in Targeted Attacks

Google Accidentally Publishes Details of Unfixed Chromium Bug Allowing Silent JavaScript Execution

Unlocking Hidden Attack Surface: Testing Windows Drivers Without Their Hardware

International Operation Shuts Down VPN Service Used by Two Dozen Ransomware Groups

Anthropic’s Claude Mythos AI Uncovers Thousands of Critical Flaws in Key Software

Related Stories

Backdoored art-template npm Package Turns Websites into iOS Exploit Delivery Points

Trellix Repository Compromised in Source Code Theft Incident

Iranian Strikes on Amazon Data Centers Highlight Industry Vulnerability to Physical Disasters

Compromised CI/CD Tool Steals Pipeline Secrets via Tag Spoofing Attack