eo-terminalnpm

Part of a multi-package malicious campaign by npm author toskypi, eo-terminal is a fully-featured infostealer and remote access trojan (RAT) disguised as "terminal changelog logger utilities." The package README describes a completely different package (terminal-logger-utils), indicating a name-recycling or typosquatting attack. It is part of the same campaign as logger-draft.

On installation, a postinstall hook runs utils.js, which performs a sandbox check (aborts if CPU count ≤ 4 or no CPU model string), copies the 24,000-line payload.js to a persistent path named MicrosoftSystem64, registers it as a persistent service (systemd user service on Linux, LaunchAgent plist on macOS, scheduled task or HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key on Windows), and launches the payload as a detached background agent — process.exit(0) is called immediately so the npm install completes with no visible errors.

C2 infrastructure: Primary WebSocket/HTTP C2 at ws://195.201.194.107:8010 (Hetzner Cloud, Germany). Stolen data is also exfiltrated to HuggingFace repository yszf984308/system-release via a hardcoded API token. C2 config strings are XOR-obfuscated with key [90, 60, 126, 18, 159, 75, 109, 138] and base64-encoded in dist/config.js.

Capabilities:

• Keylogger — full keystroke and password-field capture with an offline queue at ~/.pcl-data/offline-queue.jsonl that drains automatically on C2 reconnect
• Clipboard harvesting — polls every 1,000 ms via platform-native tools (pbpaste, xclip, PowerShell)
• Screenshot capture and live streaming — one-shot and continuous AnyDesk-style streaming; periodic upload to HuggingFace
• Browser credential theft — Login Data, Cookies, Web Data from all Chromium-family browsers; logins.json, key4.db, cert9.db from Firefox
• Crypto wallet exfiltration — 20+ wallets including Exodus, Electrum, Phantom, Ledger Live, Trezor, Trust Wallet, Monero GUI, and Bitcoin/Litecoin/Dogecoin Core
• SSH backdoor — exfiltrates ~/.ssh/ contents and appends attacker RSA key (bink@DESKTOP-N8JGD6T) to authorized_keys
• Shell history theft — 15+ history file formats including .bash_history, .zsh_history, PowerShell ConsoleHost_history.txt, and ~/.atuin/history.db; iterates all user home directories
• Environment variable harvesting — targets API keys, tokens, and cloud credentials matching keywords such as aws, github_token, npm_token, stripe, openai, and jwt
• .env file theft — reads the victim's project-root .env at install time
• Telegram session theft — gzip-packs and uploads the full tdata/ directory (up to 500 MB)
• Cloud credential theft — ~/.aws/, ~/.azure/, ~/.kube/, ~/.config/gcloud/, ~/.docker/, ~/.gnupg/, .git-credentials, .netrc
• Recursive filesystem scan — scans for certificates, key files, and credential-named files (.pem, .key, .pfx, .kdbx, .ppk, wallet, mnemonic, seed, etc.); uploads matches (up to 50 MB each) to HuggingFace
• Remote command execution — arbitrary shell commands and full interactive terminal sessions
• Self-update — polls HuggingFace for updated versions and deploys platform-native compiled binaries (MicrosoftSystem64-win.exe, -linux, -darwin-x64, -darwin-arm64)

Evasion: The payload detaches from the npm install process immediately (no blocking output), masquerades as MicrosoftSystem64 to blend into Windows system process names, abuses HuggingFace as a trusted exfiltration channel, and uses XOR+base64 obfuscation for all C2 config strings.

package.json declares "postinstall": "node utils.cjs". utils.cjs is heavily obfuscated (obfuscator.io string array of ~1300 entries, hex-named accessors, RC4+base64 decoder _d(), debugger/anti-console traps with a 4-second setInterval). At install time it decrypts a hidden binary URL and bearer token, GETs a platform-specific executable from that URL with Authorization: Bearer <decoded-token>, writes it into an app-data directory, chmods it 0o755, and spawns it detached with no integrity verification. After dropping the binary it installs OS-level persistence on every platform: a Windows HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry value via reg.exe ADD, a macOS LaunchAgent plist in ~/Library/LaunchAgents/, and a systemd user .service + .timer in ~/.config/systemd/user/ enabled via systemctl --user enable. Re-execution gated on a _postinstall_complete argument ensures persistent relaunch across reboots. Package metadata further indicates deception: the published name is eo-terminal while README describes the package as terminal-logger-utils and claims 'zero runtime dependencies' contradicting the 9 dependencies declared in package.json. The combination of obfuscated install-time URL and token, opaque remote binary execution, multi-OS persistence, and name/README mismatch is unambiguous attacker behavior.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.