MAL-2026-4346

Part of a multi-package malicious campaign by npm author `toskypi`, `logger-draft` is a companion package to `eo-terminal` in the same infostealer and remote access trojan (RAT) campaign. Both packages share the same actor, C2 infrastructure, and attack pattern, and are distributed together under a "terminal logging utilities" theme.

The campaign deploys a comprehensive payload via a `postinstall` hook that copies a large JavaScript agent to a persistent location disguised as `MicrosoftSystem64` and registers it as a system service (systemd on Linux, LaunchAgent on macOS, scheduled task or registry run key on Windows). A sandbox check (CPU count and CPU model string) aborts execution in analysis environments. The install process exits cleanly with `process.exit(0)`, leaving no visible error output.

**C2 infrastructure:** Primary WebSocket/HTTP C2 at `ws://195.201.194.107:8010` (Hetzner Cloud, Germany). Stolen data is also exfiltrated to HuggingFace repository `yszf984308/system-release` via a hardcoded API token.

**Capabilities** (shared with campaign): - **Keylogger** — keystroke and password capture with offline queuing - **Clipboard harvesting** — 1,000 ms polling via platform-native tools - **Screenshot capture and live streaming** - **Browser credential theft** — Chromium-family and Firefox profile directories - **Crypto wallet exfiltration** — 20+ desktop wallets - **SSH backdoor** — exfiltrates SSH keys and injects attacker RSA public key into `authorized_keys` - **Shell history theft** — 15+ history file formats across all user home directories - **Environment variable and `.env` file theft** — targets cloud and CI/CD credentials at install time - **Telegram session theft** — full `tdata/` directory exfiltration - **Cloud credential theft** — AWS, Azure, GCP, Kubernetes, Docker, GnuPG - **Recursive filesystem scan** — certificate, key, and wallet files uploaded to HuggingFace - **Remote command execution** and interactive terminal sessions - **Self-update** via HuggingFace-hosted native binaries