The official jscrambler npm package — a widely used JavaScript obfuscation and code-protection tool — was compromised on July 11, 2026 to publish a malicious 8.14.0 release. The package’s own preinstall hook silently drops and executes a cross-platform Rust infostealer on every machine that runs npm install. Socket detected the compromised release roughly six minutes after publication; Aikido, StepSecurity, and SafeDep have since published corroborating analysis.
What Happened
The attacker gained publish access to the jscrambler package on npm (the exact vector — stolen maintainer token, compromised CI, or account takeover — has not been disclosed) and pushed version 8.14.0. That release adds an undocumented preinstall script in package.json pointing at a new file, dist/setup.js, along with dist/intro.js and a set of platform-specific binaries for Linux, macOS, and Windows bundled inside an obfuscated container.
Because npm executes preinstall hooks automatically and unconditionally, simply running npm install with [email protected] in the dependency tree is enough to trigger infection — there is no need to import the package, call its API, or invoke the Jscrambler CLI. That makes the blast radius unusually wide: developer workstations, CI/CD build agents, and any automated pipeline that resolves jscrambler@latest or an unpinned ^8.x/8.14.x range during the exposure window are all at risk.
Technical Details
dist/setup.js selects and unpacks the binary matching the host OS, then hands off execution to it. The payload is written in Rust and compiled per-platform, which lets it run with no runtime dependencies and makes static signature detection harder than an equivalent JS or Python stealer.
Once running, the stealer sweeps the host for:
- Cloud credentials — AWS, Azure, and Google Cloud config and credential files, including cloud-provider instance metadata endpoints (e.g.
169.254.169.254) that CI runners rely on for short-lived tokens. - Cryptocurrency wallets — seed phrases and keystore files from MetaMask, Phantom, and Exodus.
- Password manager data — the local Bitwarden vault.
Harvested material is packaged and exfiltrated over TLS to an attacker-controlled drop server. No self-propagation or worm behavior has been reported — this is a straight credential-harvesting payload, not a package-to-package spreader like earlier 2026 npm worm campaigns.
Affected release: jscrambler 8.14.0, published July 11, 2026. A clean 8.15.0 has since been published; 8.13.0 and earlier are unaffected.
Impact
Any environment that installed [email protected] — even transiently, as a build-time devDependency — should be treated as compromised, not merely exposed. CI runners are a particular concern because they routinely hold cloud IAM credentials, deployment tokens, and registry publish tokens with far more reach than a single developer’s laptop. If a CI pipeline pulled the poisoned version, assume every secret available to that pipeline is burned.
Mitigation
- Grep
package-lock.json,yarn.lock,pnpm-lock.yaml, and CI dependency caches forjscramblerat version8.14.0. - Upgrade to
8.15.0, or pin to8.13.0if you need a pre-incident version while validating the fix. - Purge
8.14.0from local npm/yarn/pnpm caches and any private registry mirrors or Verdaccio/Artifactory proxies that may have cached the tarball. - Rotate AWS/Azure/GCP credentials, cloud metadata-derived tokens, and any secrets accessible to hosts or CI runners that installed the bad version.
- Treat crypto wallets (MetaMask, Phantom, Exodus) and the Bitwarden vault as compromised on any affected machine and rotate/re-key accordingly.
- Rebuild affected CI images and developer environments from known-good state rather than trusting in-place cleanup, given the payload runs as a native binary with full user-level access.
Sources
- Socket: Jscrambler npm Package Compromised in Supply Chain Attack
- The Hacker News: Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install
- StepSecurity: jscrambler npm package publishes malicious preinstall binary
- SafeDep: Official jscrambler npm Package Compromised Across Multiple Releases