The malicious npm package js-logger-pack (versions up to 1.1.27) has evolved, turning Hugging Face into a dual-threat platform: a malware CDN for initial payloads and, now, a backend for exfiltrating stolen data. JFrog Security researchers dissected the campaign, revealing cross-platform implants that persist, log keystrokes, monitor clipboards, and upload archives to attacker-controlled Hugging Face datasets. […] The post NPM Menace Exposes Hugging Face As Backend For Data Theft and Malware Delivery appeared first on Cyber Security News.