FAMOUS CHOLLIMA Deploys MicrosoftSystem64 npm RAT

FAMOUS CHOLLIMA Deploys MicrosoftSystem64 npm RAT

FAMOUS CHOLLIMA, a DPRK-linked threat actor group also known by the toskypi cluster of identities, has deployed a multi-platform Remote Access Trojan (RAT), identified as MicrosoftSystem64. This campaign uses malicious npm packages, such as js-logger-pack, to infect cryptocurrency traders and developers. The attack uses HuggingFace as a command-and-control (C2) platform and a data exfiltration channel, which helps it bypass traditional security detections.

The MicrosoftSystem64 RAT, an 81 MB Node.js Single Executable Application (SEA), can steal credentials and execute remote commands on Windows, macOS, and Linux. A live probe on May 28, 2026, confirmed this threat infrastructure was active. Evidence included a valid embedded HuggingFace token and real-time exfiltration of victim data.

This analysis revealed the theft of 417 periodic screenshots and a 500 MB archive containing 1,097 credential files from just two active victims observed in the attacker's HuggingFace datasets. The stolen data included browser credentials, over 80 cryptocurrency wallet extension details, Telegram Desktop sessions, and SSH keys. The actor shows operational resilience by rapidly rotating accounts and pivoting infrastructure.

What are MicrosoftSystem64's Core Capabilities and Targets?

The MicrosoftSystem64 RAT operates as an 81 MB stripped ELF binary. It is packaged as a Node.js v20.18.2 Single Executable Application (SEA) to evade detection and remove Node.js runtime dependencies on victim systems. This packaging allows the malware to appear as a native executable to endpoint monitoring tools, rather than a node process. The binary also sets its process.title to MicrosoftSystem64, mimicking a legitimate Microsoft service.

The malware connects to a WebSocket C2 server at 195[.]201[.]194[.]107:8010 and accepts 24 remote commands from the operator. These commands provide full remote access capabilities, including arbitrary shell command execution, directory listing, drive enumeration, system information collection, and real-time screenshot streaming. The RAT uses a simple XOR cipher for obfuscating hardcoded configuration values. However, plaintext comments left by the attacker in the development build made deobfuscation trivial for analysts.

Data exfiltration is a critical function, using HuggingFace as a backend. Instead of direct C2 uploads, the agent creates private HuggingFace datasets under the attacker's account (jpeek998) and commits stolen files using the Git LFS commit API. This method offloads storage infrastructure and makes network-level detection challenging because traffic appears as legitimate HTTPS requests to a trusted machine learning platform. The C2 server only receives lightweight notifications of successful uploads.

The MicrosoftSystem64 RAT targets browser credentials from 15 browser families on all major operating systems. It also has a hardcoded mapping for over 80 cryptocurrency wallet browser extensions, from which it copies both extension code and localStorage data. The RAT also captures Telegram Desktop sessions by compressing the tdata directory and exfiltrates ~/.ssh directories, including private keys like id_rsa and authorized_keys.

Persistence is established across Windows, macOS, and Linux through Scheduled Tasks, LaunchAgents, systemd user units, and XDG autostart entries, respectively, using the name MicrosoftSystem64. A self-update mechanism checks for new binary versions every 24 hours from a HuggingFace repository (jpeek998/system-releases) to keep the RAT current. A persistent upload queue provides resilience by retrying failed exfiltrations even after system restarts.

A cross-platform keylogger is implemented using native OS APIs, such as SetWindowsHookEx on Windows, CGEventTap on macOS, and xinput/evdev on Linux. This keylogger runs alongside a clipboard watcher that polls every second. Periodic screenshots are captured every 60 seconds and uploaded to HuggingFace, giving operators near real-time visual surveillance of compromised systems.

Attribution links this campaign to FAMOUS CHOLLIMA, a DPRK-linked threat actor group. The associated identity cluster includes npm publishers like jpeek868, jpeek886, jpeek895, and the persistent author identity toskypi. These entities are known for publishing malicious npm packages and are linked to campaigns such as Contagious Trader, which targets cryptocurrency trading bot developers. The pivot to HuggingFace after initial npm takedowns shows the actor's adaptive operational security.

What Happened with the Red Hat Cloud Services npm Supply Chain Compromise?

On June 1, 2026, an attacker compromised Red Hat Cloud Services by abusing npm's GitHub Actions trusted publishing mechanism, affecting 32 @redhat-cloud-services npm packages with a total of 96 malicious versions. Each malicious package version carried valid npm provenance, which indicated the build was ostensibly from the legitimate GitHub repository and workflow. The root cause was an issue where npm binds trusted publishing to a repository and workflow filename, not to a specific branch.

The attacker exploited this by pushing short-lived oidc- branches to RedHatInsights repositories such as javascript-clients, frontend-components, and platform-frontend-ai-toolkit. On each branch, the legitimate CI workflow (ci.yml or release.yml) was rewritten into a self-publishing job. This modified workflow ran a Bun worm with id-token: write permissions. The worm exchanged the workflow's OIDC token for npm publish tokens, then repackaged the legitimate tarballs with a malicious preinstall hook and republished them, complete with valid provenance. The publishes occurred in three waves; the third wave remains the live latest for every affected package.

The injected preinstall hook executes a 4.3 MB index.js payload. This payload uses ROT-9 decoding and AES-128-GCM decryption to reveal a 634 KB Bun script. The script then downloads the Bun runtime from GitHub and executes the decrypted payload. The payload is a multi-cloud credential harvester that steals secrets from various services. Organizations are advised to scan their projects for this and similar threats using tools for malicious npm packages.

The worm harvests cloud credentials for AWS (IMDS, ECS, Secrets Manager, SSM), Azure (managed identity), GCP (service accounts), HashiCorp Vault tokens, Kubernetes service account tokens, GitHub PATs, npm tokens, and data from password managers like Bitwarden and gopass. It self-propagates by injecting a malicious .github/workflows/codeql.yml into accessible repositories and republishing tampered npm tarballs. Stolen credentials are exfiltrated to attacker-controlled public GitHub repositories, identifiable by the description Miasma: The Spreading Blight.

The campaign, "Miasma: The Spreading Blight", also attempts privilege escalation by checking for Docker socket access. If available, it launches a container to bind-mount the host /etc/sudoers.d and grant the CI runner passwordless sudo access. The payload includes anti-analysis measures, checking for endpoint protection tools like CrowdStrike and SentinelOne, and specific environment variables to suppress malicious behaviors in analysis environments. This compromise of Red Hat Cloud Services packages and the abuse of GitHub Actions OIDC trusted publishing were detailed in a recent analysis.

Persistence targets developer tooling, including .claude/settings.json and .vscode/tasks.json, for AI-agent and editor hijacking. The provenance data itself reveals the compromise, showing malicious versions built from attacker-controlled branches like oidc-4d5900f3 but using the registered workflow path (.github/workflows/ci.yml). This allowed npm to issue publish rights and sign provenance, legitimizing the malicious versions. The initial access method for pushing branches to the Red Hat repositories remains an open question.

Why is CISA Warning About Fuel Tank Monitoring Systems?

The Cybersecurity and Infrastructure Security Agency (CISA), FBI, NSA, and Department of Energy issued a joint warning regarding cyberattacks targeting internet-exposed Automatic Tank Gauge (ATG) systems. These systems are used to monitor fuel and liquid storage tanks across critical infrastructure sectors including Energy, Chemical, Food and Agriculture, and Transportation Systems. Threat actors are compromising these devices and modifying system settings through command execution.

Attackers are gaining access to ATG systems by exploiting vulnerabilities. These include authentication bypass flaws, hardcoded credentials, operating system command-execution vulnerabilities, SQL injection vulnerabilities, and privilege-escalation weaknesses. Once compromised, threat actors can alter critical network settings, product identifiers, tank volumes, and pump controls. They can also disable alerts, preventing operators from accurately monitoring tank fill levels, which could lead to leaks or equipment failures.

While the advisory does not attribute the activity to a specific nation-state or threat actor group, it follows previous CNN reporting that Iranian hackers were behind similar breaches. These earlier incidents involved ATG systems at gas stations, where attackers exploited weak or non-existent passwords on internet-exposed devices. The Iranian group manipulated display readings but did not alter actual fuel levels, though the potential for interference with safety functions was a concern.

Limited forensic evidence has made direct attribution challenging in the recent attacks. However, the observed malicious activity mirrors known tactics of threat actors interested in industrial control systems. CISA recommends immediate mitigation: block ATG systems from direct internet exposure, restrict remote access via firewalls, VPNs, or access control lists, and replace all default passwords. Strong credentials, multifactor authentication, prompt application of security updates, and active system monitoring for unauthorized changes are also advised to reduce the risk of compromise.

What Remote Code Execution Flaw Was Discovered in Redis?

An autonomous AI security tool named Team Xint Code discovered a two-year-old use-after-free vulnerability in Redis, tracked as CVE-2026-23479. This flaw, present in Redis versions 7.2.0 through 7.2.13, 7.4.0 through 7.4.8, 8.2.0 through 8.2.5, 8.4.0 through 8.4.2, and 8.6.0 through 8.6.2, allows an authenticated user to execute arbitrary OS commands on the database-hosting machine. Redis assigned it a CVSS 4.0 score of 7.7, while NVD rated it 8.8 under CVSS 3.1.

The vulnerability resides in the unblockClientOnKey() function within src/blocked.c, which is triggered when a key event unblocks a command. This function dispatches the queued command via processCommandAndResetClient(), which can, as a side effect, free the client. However, unblockClientOnKey() continues to use the freed client pointer, leading to a use-after-free condition (CWE-416). The flaw resulted from two separate commits in January and March 2023 that became dangerous only when combined in Redis 7.2.0.

The full remote code execution chain consists of three stages. First, a Lua script leaks a heap address. Second, the attacker grooms client memory, then frees a blocked client mid-call, immediately reclaiming the freed slot with a fake client structure using a pipelined SET command. Third, Redis's updateClientMemoryUsage() performs an out-of-bounds decrement using attacker-controlled fields, targeting the Global Offset Table (GOT) to repoint strcasecmp() at system(). The next command parsed by Redis then executes as a shell command.

The default Redis Docker image ships with only partial RELRO, leaving the GOT writable at runtime. This facilitates the third stage of the exploit. This full chain requires an authenticated session with CONFIG SET, EVAL, stream commands (XREAD/XADD), and basic SET/GET privileges, typically grouped under @admin, @scripting, @stream, and @read/@write ACL categories. The default Redis user often possesses all these privileges.

Redis has released patched minor versions: 7.2.14, 7.4.9, 8.2.6, 8.4.3, and 8.6.3, all available since May 5. While no in-the-wild exploitation has been reported, the public release of the technical exploit chain increases the risk. Mitigation strategies for unpatched instances include removing Redis from public internet exposure, enforcing TLS, and tightening ACLs to prevent any single role from combining @admin, CONFIG, and @scripting privileges. Disabling @scripting if Lua is not in use can also disrupt the initial heap address leak.

How Did Meta's AI Support Bot Lead to Instagram Account Hijacks?

Attackers exploited an AI support assistant deployed by Meta to hijack Instagram accounts over the past few months. High-profile victims included accounts belonging to the Obama White House (dormant), beauty retailer Sephora, a senior US Space Force official, and security researcher Jane Manchun Wong. The issue, a "confused deputy" problem, arose because the AI bot had permissions to make account changes without identity verification mechanisms.

The attack method was straightforward: threat actors determined an account owner's geographic region, often through publicly available information, and then used a VPN to match that region. This step helped avoid triggering Instagram's security flags. They then initiated a normal password reset process and engaged with the AI support bot, requesting an email address change on the target account. The bot then sent a one-time code directly to the attacker's inbox, granting them control.

In cases where enhanced security measures were triggered, attackers reportedly resorted to creating video deepfakes of their targets. These deepfakes were constructed using images harvested from Instagram itself, which enabled attackers to bypass more stringent identity verification processes. Meta communications executive Andy Stone confirmed the issue was resolved and impacted accounts were being secured, though the total number of affected accounts was not disclosed.

The motivation behind these hijacks often goes beyond simple defacement; financial gain is a primary driver. Attackers have been known to blackmail businesses reliant on Instagram for marketing or target "OG" accounts with short, desirable usernames that can fetch thousands of dollars on underground markets. This incident shows the risks of deploying AI with broad permissions in sensitive systems without strong security controls.

To protect against such attacks, enabling multi-factor authentication (MFA) is crucial. Reports indicate that accounts with MFA enabled, even using SMS codes, were unaffected by this attack vector. Users should navigate to Instagram's Settings, then their Meta Accounts Center, and enable Two-factor authentication. Using an authenticator app over SMS offers enhanced security. New reports suggest new attack methods are emerging, involving modified Android emulators to manipulate AI prompts with hidden characters.

Technical Takeaways

• FAMOUS CHOLLIMA, a DPRK-linked group, uses MicrosoftSystem64, a multi-platform Node.js SEA RAT. It exfiltrates 1,097 credential files and 417 screenshots from observed victims via HuggingFace datasets.
• The "Miasma: The Spreading Blight" campaign compromised 32 Red Hat Cloud Services npm packages (96 malicious versions). It exploited GitHub Actions trusted publishing flaws, and malicious versions remain live as latest.
• CISA warned of unattributed cyberattacks on critical infrastructure Automatic Tank Gauge (ATG) systems. Attackers exploit authentication bypasses and hardcoded credentials to alter tank monitoring capabilities.
• Team Xint Code, an autonomous AI tool, discovered CVE-2026-23479, a two-year-old authenticated use-after-free RCE in Redis versions 7.2.x, 7.4.x, 8.2.x, 8.4.x, and 8.6.x.
• Meta's AI support bot was exploited as a "confused deputy." This allowed attackers to hijack Instagram accounts by requesting email changes and potentially using deepfakes to bypass identity verification.