Part of a multi-package malicious campaign, msc-terminal (npm author nhpkevte1576) carries the same payload as eo-terminal and logger-draft — a fully-featured infostealer and remote access trojan (RAT) deployed via a postinstall hook. All three packages share the same C2 infrastructure and attack chain.

On installation, the postinstall hook copies a large JavaScript agent to a persistent location disguised as MicrosoftSystem64 and registers it as a system service (systemd on Linux, LaunchAgent on macOS, scheduled task or registry run key on Windows). A sandbox check (CPU count and CPU model string) aborts execution in analysis environments. The install process exits cleanly with process.exit(0), leaving no visible error output.

C2 infrastructure: Primary WebSocket/HTTP C2 at ws://195.201.194.107:8010 (Hetzner Cloud, Germany). Stolen data is also exfiltrated to HuggingFace repository yszf984308/system-release via a hardcoded API token.

Capabilities (shared with campaign):

• Keylogger — keystroke and password capture with offline queuing
• Clipboard harvesting — 1,000 ms polling via platform-native tools
• Screenshot capture and live streaming
• Browser credential theft — Chromium-family and Firefox profile directories
• Crypto wallet exfiltration — 20+ desktop wallets
• SSH backdoor — exfiltrates SSH keys and injects attacker RSA public key into authorized_keys
• Shell history theft — 15+ history file formats across all user home directories
• Environment variable and .env file theft — targets cloud and CI/CD credentials at install time
• Telegram session theft — full tdata/ directory exfiltration
• Cloud credential theft — AWS, Azure, GCP, Kubernetes, Docker, GnuPG
• Recursive filesystem scan — certificate, key, and wallet files uploaded to HuggingFace
• Remote command execution and interactive terminal sessions
• Self-update via HuggingFace-hosted native binaries

---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (eec05fa3df0248b788635026129e1ca42d37887fe05235f20f2e9ad6f0ad6f27)

Cross-platform infostealer/RAT. postinstall installs obfuscated payload.js as 'MicrosoftSystem64' persistence (schtasks/launchctl/systemd). Keylogger w/ password-field detection, 27-wallet drainer, browser+SSH cred exfil, HuggingFace as covert C2.