HuggingFace Hijacked as C2 Channel by npm RAT
Key insights
- The microsoftsystem64 npm package contained a full RAT with keylogging, screen capture, and remote shell under fake Microsoft branding.
- HuggingFace repositories served as C2 infrastructure, exploiting corporate firewall whitelists that broadly trust AI platform domains.
- SafeDep's analysis documents the first npm supply-chain RAT using an AI hosting platform as its primary exfiltration channel.
Why this matters
Enterprises that have whitelisted AI infrastructure domains like huggingface.co now face an unaudited exfiltration channel that existing network controls will not flag, requiring immediate egress policy review. The microsoftsystem64 campaign shows supply-chain attackers are evolving beyond payload sophistication to infrastructure selection, deliberately picking channels defenders have treated as trusted. If this technique proliferates across threat actors, AI platforms face pressure to implement anomalous-upload detection or risk becoming standard exfiltration staging grounds in adversary playbooks.
Summary
A fake npm package called 'microsoftsystem64' delivered a fully featured Remote Access Trojan while routing stolen data through HuggingFace repositories instead of conventional command-and-control servers.
SafeDep's payload analysis found the package includes a keylogger, screen capture module, and remote shell. The HuggingFace choice is deliberate: corporate firewalls whitelist AI platform domains, making outbound traffic to huggingface.co invisible to controls built to catch suspicious exfiltration.
Essentially: (SafeDep, npm security community) this supply-chain attack weaponizes trusted AI infrastructure as a deliberate security blind spot.
- The package name mimicked Microsoft system tooling to exploit developer brand trust.
- HuggingFace's open repo model lets attackers stage stolen data under throwaway accounts with no friction.
- The RAT's capability set matches commercial offensive tools, not amateur droppers.
AI infrastructure domains are now being actively selected as exfiltration channels because defenders have extended implicit trust to AI platforms without applying equivalent scrutiny.
Potential risks and opportunities
Risks
- Security teams at enterprises with blanket HuggingFace whitelists may have an active or recently active exfiltration channel that predates this disclosure and has not been retroactively audited
- HuggingFace faces reputational and regulatory pressure if it cannot demonstrate detection and removal of malicious repository uploads used as C2 staging infrastructure
- npm and other package registries face accelerating demands to implement binary payload scanning, which could create publish-pipeline friction and shift attacker focus to less-scrutinized registries
Opportunities
- Supply-chain security vendors (Socket.dev, Snyk, Chainguard, Endor Labs) gain a high-profile case study to accelerate enterprise budget conversations around npm registry monitoring
- HuggingFace has a window to ship anomalous-upload detection and API abuse controls that could become a trust differentiator as AI infrastructure faces new adversarial scrutiny
- Network security vendors (Palo Alto Networks, Zscaler) can upsell AI-platform-specific egress inspection policies to enterprises that previously relied on domain whitelisting as a sufficient control
What we don't know yet
- Whether HuggingFace has identified and removed the specific repositories used for C2 staging and implemented upload-abuse monitoring since SafeDep's disclosure
- Attribution behind the microsoftsystem64 campaign: SafeDep's analysis identifies the technique but names no threat actor, group, or country of origin
- How many developer machines downloaded and executed the package before removal, and whether npm's security team has notified affected users
Originally reported by safedep.io
Read the original article →Original headline: Malicious npm Package 'microsoftsystem64' Conceals Full RAT and Routes Stolen Data Through HuggingFace as Novel C2 Infrastructure