Breaking News: OX Security has identified a malicious npm package containing keylogger, infostealer, and RAT behavior. We have traced the threat actor behind it to previously documented North Korean (DPRK) campaigns.
The package, ‘terminal-logger-utils,’ targets Telegram data, SSH keys, crypto wallets, cloud configurations (AWS, GCP, Azure), environment variables, and more. Three dependent packages import it and trigger the malicious behavior when installed: pretty-logger-utils, ts-logger-pack, and pinno-loggers.
The threat actor behind the upload – jpeek895 – was previously reported on kmsec.uk for uploading a similar npm package linked to DPRK activity.
Source: https://dprk-research.kmsec.uk/
npm users that uploaded the dependent packages:
- pvnd3540749
- yggedd817513
- jpeek886
Recommended Actions
Immediate Actions:
- Remove the malware from the infected machine
- Check for network requests to the IoCs
- Perform key rotation and add 2FA
Technical Analysis
The malware uses a postinstall hook inside the package.json file that opens utils.cjs.
utils.cjs is an obfuscated malware dropper that checks the current system and downloads the appropriate binary.
The malware’s hosting site is Hugging Face, a popular AI and ML platform, mirroring Shai-Hulud’s tactic of using legitimate websites for malicious purposes to bypass network filtering tools.
After downloading the second-stage payload binary, it executes directly on the machine. The second-stage binary is a bundled Node single executable with embedded malicious JavaScript code.
A parallel collector loop (not only C2 tasks) runs at startup: platform logging, clipboard polling, and HTTP posts to /api/validate/keyboard-events. Password-field typing is tracked separately in pwdKeyString.
The malware targets high-value local data: Telegram Desktop, browser login databases, crypto wallets, SSH keys, and keyword-matched files across drives. Stolen archives are often uploaded to Hugging Face datasets. Telegram sessions go directly to the HTTP C2.
As shown in the example below, the malware reads Telegram Desktop data:
Stealing crypto wallets:
From a persistence and self-update perspective, on the first run ensureAutostart() installs the binary under %LOCALAPPDATA%\MicrosoftSystem64 (Windows) and registers login persistence via a hidden VBS launcher and scheduled task, with a registry Run fallback.
In summary, this is a cross-platform Node.js implant that connects to a remote server over WebSocket for full machine control (files, shell, screenshots, input injection) while a background collector sends keystrokes and clipboard data over HTTP. It steals Telegram sessions, browser credentials, crypto wallets, and SSH keys, uploads stolen data via Hugging Face, installs itself to run at login, and can update its own binary from the operator’s repository.
Related Packages
