{"id":"MAL-2026-4823","summary":"Malicious code in msc-terminal (npm)","details":"Part of a multi-package malicious campaign, `msc-terminal` (npm author `nhpkevte1576`) carries the same payload as `eo-terminal` and `logger-draft` — a fully-featured infostealer and remote access trojan (RAT) deployed via a `postinstall` hook. All three packages share the same C2 infrastructure and attack chain.\n\nOn installation, the `postinstall` hook copies a large JavaScript agent to a persistent location disguised as `MicrosoftSystem64` and registers it as a system service (systemd on Linux, LaunchAgent on macOS, scheduled task or registry run key on Windows). A sandbox check (CPU count and CPU model string) aborts execution in analysis environments. The install process exits cleanly with `process.exit(0)`, leaving no visible error output.\n\n**C2 infrastructure:** Primary WebSocket/HTTP C2 at `ws://195.201.194.107:8010` (Hetzner Cloud, Germany). Stolen data is also exfiltrated to HuggingFace repository `yszf984308/system-release` via a hardcoded API token.\n\n**Capabilities** (shared with campaign):\n- **Keylogger** — keystroke and password capture with offline queuing\n- **Clipboard harvesting** — 1,000 ms polling via platform-native tools\n- **Screenshot capture and live streaming**\n- **Browser credential theft** — Chromium-family and Firefox profile directories\n- **Crypto wallet exfiltration** — 20+ desktop wallets\n- **SSH backdoor** — exfiltrates SSH keys and injects attacker RSA public key into `authorized_keys`\n- **Shell history theft** — 15+ history file formats across all user home directories\n- **Environment variable and `.env` file theft** — targets cloud and CI/CD credentials at install time\n- **Telegram session theft** — full `tdata/` directory exfiltration\n- **Cloud credential theft** — AWS, Azure, GCP, Kubernetes, Docker, GnuPG\n- **Recursive filesystem scan** — certificate, key, and wallet files uploaded to HuggingFace\n- **Remote command execution** and interactive terminal sessions\n- **Self-update** via HuggingFace-hosted native binaries\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (eec05fa3df0248b788635026129e1ca42d37887fe05235f20f2e9ad6f0ad6f27)\nCross-platform infostealer/RAT. postinstall installs obfuscated payload.js as 'MicrosoftSystem64' persistence (schtasks/launchctl/systemd). Keylogger w/ password-field detection, 27-wallet drainer, browser+SSH cred exfil, HuggingFace as covert C2.\n","modified":"2026-05-27T01:16:38.160523408Z","published":"2026-05-25T10:04:53Z","database_specific":{"malicious-packages-origins":[{"sha256":"eec05fa3df0248b788635026129e1ca42d37887fe05235f20f2e9ad6f0ad6f27","versions":["3.2.0"],"id":"IN-MAL-2026-004927","import_time":"2026-05-26T16:47:31.520541513Z","modified_time":"2026-05-26T15:16:10Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/msc-terminal/v/3.2.0"},{"type":"WEB","url":"https://x.com/safedepio/status/2058848260845076651"}],"affected":[{"package":{"name":"msc-terminal","ecosystem":"npm","purl":"pkg:npm/msc-terminal"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["3.2.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/msc-terminal/MAL-2026-4823.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-1N/IENXxz6o9h59ovcv9gEY17uNKIJamOBfY50Zl7cMN0iMGhTyYZqTc4LR6XDbDRZWAWM9dHaveiO+z9wmg7Q==","sha1":"3bf608454992b27aaf42d8b2b202f9e2c2c852e5"},"filename":"msc-terminal-3.2.0.tgz"}],"evidence_files":[{"tlsh":"8c05e740b6c0e5ac238b4fb7b637b0d5d41b0e4e34885b8bd194fc1569a6607eafda34","path":"payload.js","sha256":"f447b007e2d8a315a2fff6c51406334584ab0f3fa66bb3c210df1e9eb1fc6823"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}