Part of a multi-package malicious campaign by npm author toskypi, logger-draft is a companion package to eo-terminal in the same infostealer and remote access trojan (RAT) campaign. Both packages share the same actor, C2 infrastructure, and attack pattern, and are distributed together under a "terminal logging utilities" theme.
The campaign deploys a comprehensive payload via a postinstall hook that copies a large JavaScript agent to a persistent location disguised as MicrosoftSystem64 and registers it as a system service (systemd on Linux, LaunchAgent on macOS, scheduled task or registry run key on Windows). A sandbox check (CPU count and CPU model string) aborts execution in analysis environments. The install process exits cleanly with process.exit(0), leaving no visible error output.
C2 infrastructure: Primary WebSocket/HTTP C2 at ws://195.201.194.107:8010 (Hetzner Cloud, Germany). Stolen data is also exfiltrated to HuggingFace repository yszf984308/system-release via a hardcoded API token.
Capabilities (shared with campaign):
- Keylogger — keystroke and password capture with offline queuing
- Clipboard harvesting — 1,000 ms polling via platform-native tools
- Screenshot capture and live streaming
- Browser credential theft — Chromium-family and Firefox profile directories
- Crypto wallet exfiltration — 20+ desktop wallets
- SSH backdoor — exfiltrates SSH keys and injects attacker RSA public key into authorized_keys
- Shell history theft — 15+ history file formats across all user home directories
- Environment variable and .env file theft — targets cloud and CI/CD credentials at install time
- Telegram session theft — full tdata/ directory exfiltration
- Cloud credential theft — AWS, Azure, GCP, Kubernetes, Docker, GnuPG
- Recursive filesystem scan — certificate, key, and wallet files uploaded to HuggingFace
- Remote command execution and interactive terminal sessions
- Self-update via HuggingFace-hosted native binaries
-= Per source details. Do not edit below this line.=-
logger-draft@3.2.1 advertises itself as a terminal-color logger but ships a heavily obfuscated postinstall dropper (utils.cjs, 252 KB, obfuscator.io-style string-array + RC4 + self-defending wrappers) wired into package.json as "postinstall": "node utils.cjs". On install the script RC4-decodes a hidden BINARYBASEURL and HF_TOKEN, selects a platform-specific filename (linux-x64/arm64, darwin-arm64, win32-x64), HTTPS-GETs the binary with an Authorization: Bearer <token> header, writes it under the user's data directory with mode 0o755, and detached-spawns it. No hash or signature verification is performed, and the bearer-token gate means the source bytes are unauditable from the published package — the author can swap the payload server-side at any time. After dropping the binary the script installs cross-platform boot persistence: on Windows it creates a schtasks /SC ONLOGON task and an HKCU...\CurrentVersion\Run value pointing at a generated.vbs shim that re-spawns the binary hidden; on Linux it writes ~/.config/systemd/user/<unit>.service and runs systemctl --user daemon-reload && enable --now, plus an autostart entry; on macOS it launches the binary detached from a writable directory. Supporting deception signals: the README is titled terminal-logger-utils and instructs npm install terminal-logger-utils (mismatched name), publisher metadata is a bare handle with no repository/homepage/license, and the README claims 'Zero runtime dependencies' while package.json declares nine. Installer harm fires automatically on npm install in any developer or CI environment.
{
"malicious-packages-origins": [
{
"source": "amazon-inspector",
"sha256": "fbefd2d58c46c2967c6d1ac070fe3fef6a50b078d76ca015d184cf8ac3e9812e",
"modified_time": "2026-05-22T10:21:37Z",
"import_time": "2026-05-26T05:52:05.958128048Z",
"id": "IN-MAL-2026-004183",
"versions": [
"3.2.0"
]
},
{
"source": "amazon-inspector",
"sha256": "0862a27a4fcbb3fc546fed447371d22dfcabb46e2d6a163754d30ec300fdceb7",
"modified_time": "2026-05-22T23:56:40Z",
"import_time": "2026-05-26T05:52:16.789692958Z",
"id": "IN-MAL-2026-004272",
"versions": [
"3.2.1"
]
},
{
"source": "amazon-inspector",
"sha256": "1f700e9c57c78ef1864ca4e05bb03e3d1c1d3af843fea707f934e80ff827aa93",
"modified_time": "2026-05-23T12:30:46Z",
"import_time": "2026-05-26T05:52:22.246211527Z",
"id": "IN-MAL-2026-004320",
"versions": [
"3.2.2"
]
},
{
"source": "amazon-inspector",
"sha256": "5f856a4ade2e077545656c876ac51e89603c8901fefa4abbd03f3348ebc39854",
"modified_time": "2026-05-22T10:21:37Z",
"import_time": "2026-05-26T05:52:06.06456415Z",
"id": "IN-MAL-2026-004184",
"versions": [
"3.2.0"
]
},
{
"source": "amazon-inspector",
"sha256": "82d03fd6ce6e3d4cc0cca06c66cf56d00115c6ab335ab7ec9e0fe7476fa10d3c",
"modified_time": "2026-05-22T23:56:40Z",
"import_time": "2026-05-26T05:52:16.891824041Z",
"id": "IN-MAL-2026-004273",
"versions": [
"3.2.1"
]
},
{
"source": "amazon-inspector",
"sha256": "acd3dbf9060aad9798a0c2bdca5208715491ce58711cec202661d6d7648361a6",
"modified_time": "2026-05-23T12:30:47Z",
"import_time": "2026-05-26T05:52:22.357513746Z",
"id": "IN-MAL-2026-004321",
"versions": [
"3.2.2"
]
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/logger-draft/MAL-2026-4346.json"
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
{
"package_integrity": [
{
"filename": "logger-draft-3.2.0.tgz",
"hashes": {
"sha512_sri": "sha512-VHk9uUdqsy6HSvu5KI99Ekrq4tPFj5q3QT1EbNvwN4qDsWgAuFErH3TF+hL6WNh3d2tOrW19ezA6j86eIdD8RA==",
"sha1": "b28c81c63335b8b421cd77c462512b9c1b66f5b7"
}
}
],
"domains": [
"34.0.16.104.in-addr.arpa"
],
"evidence_files": [
{
"path": "utils.cjs",
"sha256": "032586646362b7e21f8bf0b87cef3ace2a27c415a8447c52edfa81f37b51810f",
"tlsh": "3344a58037d6bc8217471bb7371ab5f5e52edd98b088458ef500bc58f1f9a26eae0670"
}
]
}