The official jscrambler npm package — a widely used JavaScript obfuscation and code-protection tool — was compromised on July 11, 2026 to publish a malicious 8.14.0 release. The package’s own preinstall hook silently drops and executes a cross-platform Rust infostealer on every machine that runs npm install. Socket detected the compromised release roughly six minutes after publication; Aikido, StepSecurity, and SafeDep have since published corroborating analysis.

What Happened

The attacker gained publish access to the jscrambler package on npm (the exact vector — stolen maintainer token, compromised CI, or account takeover — has not been disclosed) and pushed version 8.14.0. That release adds an undocumented preinstall script in package.json pointing at a new file, dist/setup.js, along with dist/intro.js and a set of platform-specific binaries for Linux, macOS, and Windows bundled inside an obfuscated container.

Because npm executes preinstall hooks automatically and unconditionally, simply running npm install with [email protected] in the dependency tree is enough to trigger infection — there is no need to import the package, call its API, or invoke the Jscrambler CLI. That makes the blast radius unusually wide: developer workstations, CI/CD build agents, and any automated pipeline that resolves jscrambler@latest or an unpinned ^8.x/8.14.x range during the exposure window are all at risk.

Technical Details

dist/setup.js selects and unpacks the binary matching the host OS, then hands off execution to it. The payload is written in Rust and compiled per-platform, which lets it run with no runtime dependencies and makes static signature detection harder than an equivalent JS or Python stealer.

Once running, the stealer sweeps the host for:

  • Cloud credentials — AWS, Azure, and Google Cloud config and credential files, including cloud-provider instance metadata endpoints (e.g. 169.254.169.254) that CI runners rely on for short-lived tokens.
  • Cryptocurrency wallets — seed phrases and keystore files from MetaMask, Phantom, and Exodus.
  • Password manager data — the local Bitwarden vault.

Harvested material is packaged and exfiltrated over TLS to an attacker-controlled drop server. No self-propagation or worm behavior has been reported — this is a straight credential-harvesting payload, not a package-to-package spreader like earlier 2026 npm worm campaigns.

Affected release: jscrambler 8.14.0, published July 11, 2026. A clean 8.15.0 has since been published; 8.13.0 and earlier are unaffected.

Impact

Any environment that installed [email protected] — even transiently, as a build-time devDependency — should be treated as compromised, not merely exposed. CI runners are a particular concern because they routinely hold cloud IAM credentials, deployment tokens, and registry publish tokens with far more reach than a single developer’s laptop. If a CI pipeline pulled the poisoned version, assume every secret available to that pipeline is burned.

Mitigation

  • Grep package-lock.json, yarn.lock, pnpm-lock.yaml, and CI dependency caches for jscrambler at version 8.14.0.
  • Upgrade to 8.15.0, or pin to 8.13.0 if you need a pre-incident version while validating the fix.
  • Purge 8.14.0 from local npm/yarn/pnpm caches and any private registry mirrors or Verdaccio/Artifactory proxies that may have cached the tarball.
  • Rotate AWS/Azure/GCP credentials, cloud metadata-derived tokens, and any secrets accessible to hosts or CI runners that installed the bad version.
  • Treat crypto wallets (MetaMask, Phantom, Exodus) and the Bitwarden vault as compromised on any affected machine and rotate/re-key accordingly.
  • Rebuild affected CI images and developer environments from known-good state rather than trusting in-place cleanup, given the payload runs as a native binary with full user-level access.

Sources