Microsoft has uncovered a new malware campaign that hides crypto-stealing software inside public npm packages, exposing developers and cryptocurrency users to potential wallet theft and credential compromise.
According to Microsoft Threat Intelligence, two malicious npm packages, utils-terminal@3.2.1 and logger-active@3.2.1, were found distributing a remote access trojan (RAT) capable of stealing sensitive information from infected devices. The malware can capture keystrokes, take screenshots and harvest cryptocurrency wallet credentials.
Compromised npm packages (utils-terminal@3.2.1, logger-active@3.2.1) are abusing Hugging Face repos as exfiltration infrastructure. The packages deploy a remote access trojan (RAT) that captures keystrokes, screenshots, and crypto wallet credentials.
Indicators of compromise… pic.twitter.com/e3kzcStZUg
— Microsoft Threat Intelligence (@MsftSecIntel) June 3, 2026
npm is one of the largest software registries used by JavaScript developers to build applications and web services. Once a compromised package is installed, the malware can operate silently in the background, collecting passwords, wallet information and other sensitive files stored on the system.
Attackers use Hugging Face to hide stolen data
Microsoft said the campaign used Hugging Face, a popular artificial intelligence and machine learning platform, as part of its data theft infrastructure.
Rather than sending stolen information directly to suspicious servers, the malware routed data through Hugging Face repositories. By using a trusted platform, attackers were able to make malicious traffic appear more legitimate and potentially avoid detection.
Developer machines often contain browser-based wallets, private keys, seed phrase backups, exchange API keys and access credentials for cloud services. For crypto users, if compromised, attackers could gain access to digital assets, trading accounts and development environments.
Supply-chain attacks continue to hit crypto sector
The discovery adds to a growing list of software supply-chain attacks targeting the cryptocurrency industry.
In May, cybersecurity researchers identified the TrapDoor malware campaign, which spread through more than 30 malicious packages across npm, PyPI and Rust ecosystems. The operation targeted crypto and AI developers by stealing wallet information, cloud credentials, API keys and SSH access.
Earlier this year, security researchers also warned about malicious npm packages linked to fake Axios releases that exposed developers to credential theft and remote access malware.
Microsoft links latest warning to crypto malware trend
Microsoft’s latest alert follows a separate warning issued in May about malware campaigns that spread through fake software downloads promoted in poisoned search results and some AI chatbot interactions.
That operation targeted users with high-performance graphics cards and secretly installed crypto-mining malware. Attackers disguised the malware as popular PC utilities, including hardware monitoring and diagnostic tools.
Microsoft urged developers to review recently installed packages, remove suspicious dependencies, rotate exposed credentials and monitor wallet activity for unauthorized transactions. Microsoft also took legal action to neutralize “Lumma Stealer,” a powerful malware tool that has silently siphoned sensitive data from hundreds of thousands of computers worldwide
Enjoyed this? Bookmark DeFi Planet, explore related topics, and follow us on Twitter, LinkedIn, Facebook, Instagram, Threads and CoinMarketCap Community for seamless access to high-quality industry insights
Take control of your crypto portfolio with DEFI PLANET PRO, DeFi Planet’s suite of analytics tools.
