Microsoft Warns Malicious npm Packages Steal Crypto Wallet Data via Hugging Face Abuse

Microsoft has warned that two public npm packages were caught delivering malware that can steal crypto wallet credentials, keystrokes, screenshots, and other sensitive data, with attackers hiding the exfiltration trail through Hugging Face to make the traffic look less suspicious.

• Two compromised npm packages — [email protected] and [email protected]
• Remote access trojan deployed — malware could capture keystrokes, screenshots, and wallet data
• Hugging Face abused — stolen data was routed through trusted AI/ML infrastructure
• Developer machines are high-value targets — private keys, seed phrases, API keys, and logins can all be exposed

Microsoft Threat Intelligence says the packages were compromised to install a remote access trojan, or RAT — malware that gives an attacker broad control over an infected device. For crypto developers, that is not some minor nuisance. It can be a straight-up catastrophe. A single infected laptop may hold browser wallets, private keys, seed phrase files, exchange API keys, GitHub tokens, and cloud logins. That’s not a “computer problem.” That’s access to the vault, the hallway, and the back door all at once.

To make matters worse, Microsoft says the attackers were “abusing Hugging Face repos as exfiltration infrastructure”. In plain English: they used Hugging Face, a legitimate platform popular with AI and machine learning developers, as a hiding place to send stolen data out. That kind of camouflage matters because security teams look for suspicious destinations, and traffic going to a trusted service blends in far better than a direct connection to some obvious criminal server with cartoonishly bad branding.

Microsoft also described the malware as quietly stealing crypto wallet credentials from infected devices, along with keystrokes and screenshots. The company noted that “The campaign stands out because attackers used Hugging Face, a trusted platform for artificial intelligence and machine learning projects, to move stolen data.” That detail is the tell. Criminals keep abusing reputable infrastructure because it works. The traffic looks less suspicious, the detection burden goes up, and everyone else gets to enjoy the consequences.

If you’re not deep into software development, npm is a giant package registry used by JavaScript developers to install libraries and tools. It’s a convenience machine, which is also why it’s such a juicy attack surface. Supply-chain attacks target trusted software dependencies rather than directly attacking the end user. In practice, that means one poisoned package can ripple through a lot of systems downstream. One bad dependency, and suddenly the “safe” tool in your build chain is doing the digital equivalent of emptying your pockets while smiling politely.

Microsoft’s warning fits a broader pattern that should make crypto builders pay close attention. Attackers have been going after software supply chains across npm, PyPI, and the Rust ecosystem, aiming at developers and infrastructure rather than just random retail users. Microsoft previously warned about a campaign called TrapDoor, which reportedly involved more than 34 malicious packages. That is not an isolated weirdness. It points to a sustained effort to compromise the plumbing of modern software.

There’s another ugly layer here: this isn’t the only recent Microsoft warning tied to deceptive software distribution. On May 26, Microsoft said poisoned search results and AI chatbot interactions were used to spread fake PC utility downloads that installed GPU mining malware. That campaign involved fake versions of tools like CrystalDiskInfo and HWMonitor, plus abuse of ScreenConnect and legitimate Microsoft .NET utilities in the delivery chain. Different payload, same playbook: hijack trusted channels, sneak malware past the guardrails, and let the victim do the rest.

For crypto, this is especially nasty because developer machines often hold everything an attacker wants in one place. A browser wallet is just the beginning. Add private keys, seed phrase files, cloud credentials, code repositories, exchange access, and automation tokens, and you’ve got a machine that can unlock not only funds but also infrastructure. The uncomfortable truth is that decentralization does not magically fix poor opsec. A distributed network can still be taken apart by a dumb dependency and a sloppy install.

How do these package compromises usually happen? Often through stolen maintainer credentials, malicious updates, typosquatting, or account takeover. In other words, attackers don’t always need to break the package ecosystem in a dramatic way; they just need to slip into the trust chain at one point and wait for the installs to spread. That’s what makes supply-chain attacks so irritatingly effective. They’re quiet, scalable, and they turn normal developer behavior into the delivery mechanism.

Microsoft’s advice is practical, and for once it’s not bloated corporate mush. Developers should audit recent package installs, remove suspicious dependencies, rotate exposed credentials, and check wallet activity. Crypto users should avoid storing seed phrases on connected devices and verify every wallet transaction before signing. That last part deserves more respect than it usually gets. If you sign a malicious transaction, the blockchain doesn’t care about your regret, your excuse, or your bad afternoon. It will execute exactly what you approved.

There’s also a broader lesson for teams building in crypto and Web3: treat package integrity like it matters, because it does. Lock dependency versions. Review changes before updates land. Use hardware wallets for meaningful balances. Revoke old approvals when they’re no longer needed. Keep secrets out of dev laptops where possible. Isolate build environments. Use secret scanners. And if a machine has been exposed, don’t half-ass the cleanup — rotate credentials as if the attacker already copied everything, because in a supply-chain compromise, assuming otherwise is how people get wrecked.

The real problem here is not just malware. It’s the growing tendency of attackers to hide inside the normal tools developers use every day. That includes package registries, AI infrastructure, search results, and trusted download paths. Crypto has always attracted thieves, but the smarter thieves have stopped banging on the front door. They’re slipping through the side entrance wearing a fake badge and carrying a box labeled “dependencies.”

Key takeaways and questions:

What did Microsoft find?
Microsoft found malicious npm packages that installed malware capable of stealing crypto credentials and other sensitive data.

What is npm malware?
It is malicious code hidden inside or delivered through npm packages, which developers install as part of normal software building and maintenance.

Why does Hugging Face matter here?
Attackers used Hugging Face repos to move stolen data, which can make the traffic appear more legitimate and harder to detect.

Who is most at risk?
Crypto developers, JavaScript developers, traders, wallet users, and anyone with sensitive credentials stored on an infected machine.

What data can be stolen?
Wallet credentials, keystrokes, screenshots, seed phrase files, private keys, exchange API keys, GitHub tokens, and cloud logins.

Why are supply-chain attacks such a big deal?
Because one compromised dependency can infect many downstream users and systems, turning trusted software into a malware delivery system.

What should developers do right now?
Audit installed packages, remove suspicious dependencies, rotate exposed credentials, and check wallet and system activity.

What should crypto users do?
Never store seed phrases on connected devices, use hardware wallets where appropriate, and verify every wallet transaction before signing.

Is this just a developer problem?
No. Developers are the main target, but the payoff often reaches wallets, infrastructure, and users downstream.

What bigger trend does this point to?
Attackers are increasingly targeting the crypto software supply chain and legitimate platforms used by developers, not just exchanges or retail users.

For anyone building or holding crypto, the message is blunt: trust nothing by default, especially not a package you didn’t inspect. In a sector that loves talking about sovereignty and self-custody, boring security discipline is still what keeps people from learning expensive lessons the hard way.