MAL-2026-4345

Part of a multi-package malicious campaign by npm author `toskypi`, `eo-terminal` is a fully-featured infostealer and remote access trojan (RAT) disguised as "terminal changelog logger utilities." The package README describes a completely different package (`terminal-logger-utils`), indicating a name-recycling or typosquatting attack. It is part of the same campaign as `logger-draft`.

On installation, a `postinstall` hook runs `utils.js`, which performs a sandbox check (aborts if CPU count ≤ 4 or no CPU model string), copies the 24,000-line `payload.js` to a persistent path named `MicrosoftSystem64`, registers it as a persistent service (systemd user service on Linux, LaunchAgent plist on macOS, scheduled task or `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` registry key on Windows), and launches the payload as a detached background agent — `process.exit(0)` is called immediately so the npm install completes with no visible errors.

**C2 infrastructure:** Primary WebSocket/HTTP C2 at `ws://195.201.194.107:8010` (Hetzner Cloud, Germany). Stolen data is also exfiltrated to HuggingFace repository `yszf984308/system-release` via a hardcoded API token. C2 config strings are XOR-obfuscated with key `[90, 60, 126, 18, 159, 75, 109, 138]` and base64-encoded in `dist/config.js`.

**Capabilities:** - **Keylogger** — full keystroke and password-field capture with an offline queue at `~/.pcl-data/offline-queue.jsonl` that drains automatically on C2 reconnect - **Clipboard harvesting** — polls every 1,000 ms via platform-native tools (`pbpaste`, `xclip`, PowerShell) - **Screenshot capture and live streaming** — one-shot and continuous AnyDesk-style streaming; periodic upload to HuggingFace - **Browser credential theft** — Login Data, Cookies, Web Data from all Chromium-family browsers; `logins.json`, `key4.db`, `cert9.db` from Firefox - **Crypto wallet exfiltration** — 20+ wallets including Exodus, Electrum, Phantom, Ledger Live, Trezor, Trust Wallet, Monero GUI, and Bitcoin/Litecoin/Dogecoin Core - **SSH backdoor** — exfiltrates `~/.ssh/` contents and appends attacker RSA key (`bink@DESKTOP-N8JGD6T`) to `authorized_keys` - **Shell history theft** — 15+ history file formats including `.bash_history`, `.zsh_history`, PowerShell `ConsoleHost_history.txt`, and `~/.atuin/history.db`; iterates all user home directories - **Environment variable harvesting** — targets API keys, tokens, and cloud credentials matching keywords such as `aws`, `github_token`, `npm_token`, `stripe`, `openai`, and `jwt` - **.env file theft** — reads the victim's project-root `.env` at install time - **Telegram session theft** — gzip-packs and uploads the full `tdata/` directory (up to 500 MB) - **Cloud credential theft** — `~/.aws/`, `~/.azure/`, `~/.kube/`, `~/.config/gcloud/`, `~/.docker/`, `~/.gnupg/`, `.git-credentials`, `.netrc` - **Recursive filesystem scan** — scans for certificates, key files, and credential-named files (`.pem`, `.key`, `.pfx`, `.kdbx`, `.ppk`, `wallet`, `mnemonic`, `seed`, etc.); uploads matches (up to 50 MB each) to HuggingFace - **Remote command execution** — arbitrary shell commands and full interactive terminal sessions - **Self-update** — polls HuggingFace for updated versions and deploys platform-native compiled binaries (`MicrosoftSystem64-win.exe`, `-linux`, `-darwin-x64`, `-darwin-arm64`)

**Evasion:** The payload detaches from the npm install process immediately (no blocking output), masquerades as `MicrosoftSystem64` to blend into Windows system process names, abuses HuggingFace as a trusted exfiltration channel, and uses XOR+base64 obfuscation for all C2 config strings.