Part of a multi-package malicious campaign by npm author toskypi, eo-terminal is a fully-featured infostealer and remote access trojan (RAT) disguised as "terminal changelog logger utilities." The package README describes a completely different package (terminal-logger-utils), indicating a name-recycling or typosquatting attack. It is part of the same campaign as logger-draft.

On installation, a postinstall hook runs utils.js, which performs a sandbox check (aborts if CPU count ≤ 4 or no CPU model string), copies the 24,000-line payload.js to a persistent path named MicrosoftSystem64, registers it as a persistent service (systemd user service on Linux, LaunchAgent plist on macOS, scheduled task or HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key on Windows), and launches the payload as a detached background agent — process.exit(0) is called immediately so the npm install completes with no visible errors.

C2 infrastructure: Primary WebSocket/HTTP C2 at ws://195.201.194.107:8010 (Hetzner Cloud, Germany). Stolen data is also exfiltrated to HuggingFace repository yszf984308/system-release via a hardcoded API token. C2 config strings are XOR-obfuscated with key [90, 60, 126, 18, 159, 75, 109, 138] and base64-encoded in dist/config.js.

Capabilities:

• Keylogger — full keystroke and password-field capture with an offline queue at ~/.pcl-data/offline-queue.jsonl that drains automatically on C2 reconnect
• Clipboard harvesting — polls every 1,000 ms via platform-native tools (pbpaste, xclip, PowerShell)
• Screenshot capture and live streaming — one-shot and continuous AnyDesk-style streaming; periodic upload to HuggingFace
• Browser credential theft — Login Data, Cookies, Web Data from all Chromium-family browsers; logins.json, key4.db, cert9.db from Firefox
• Crypto wallet exfiltration — 20+ wallets including Exodus, Electrum, Phantom, Ledger Live, Trezor, Trust Wallet, Monero GUI, and Bitcoin/Litecoin/Dogecoin Core
• SSH backdoor — exfiltrates ~/.ssh/ contents and appends attacker RSA key (bink@DESKTOP-N8JGD6T) to authorized_keys
• Shell history theft — 15+ history file formats including .bash_history, .zsh_history, PowerShell ConsoleHost_history.txt, and ~/.atuin/history.db; iterates all user home directories
• Environment variable harvesting — targets API keys, tokens, and cloud credentials matching keywords such as aws, github_token, npm_token, stripe, openai, and jwt
• .env file theft — reads the victim's project-root .env at install time
• Telegram session theft — gzip-packs and uploads the full tdata/ directory (up to 500 MB)
• Cloud credential theft — ~/.aws/, ~/.azure/, ~/.kube/, ~/.config/gcloud/, ~/.docker/, ~/.gnupg/, .git-credentials, .netrc
• Recursive filesystem scan — scans for certificates, key files, and credential-named files (.pem, .key, .pfx, .kdbx, .ppk, wallet, mnemonic, seed, etc.); uploads matches (up to 50 MB each) to HuggingFace
• Remote command execution — arbitrary shell commands and full interactive terminal sessions
• Self-update — polls HuggingFace for updated versions and deploys platform-native compiled binaries (MicrosoftSystem64-win.exe, -linux, -darwin-x64, -darwin-arm64)

Evasion: The payload detaches from the npm install process immediately (no blocking output), masquerades as MicrosoftSystem64 to blend into Windows system process names, abuses HuggingFace as a trusted exfiltration channel, and uses XOR+base64 obfuscation for all C2 config strings.

---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3a56d3d23a5c71474129a52aa4fc3a0e529cfd4bdfda56752be09694399bd127)

package.json declares "postinstall": "node utils.cjs". utils.cjs is heavily obfuscated (obfuscator.io string array of ~1300 entries, hex-named accessors, RC4+base64 decoder _d(), debugger/anti-consol