Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Hackers Exploit jscrambler in Supply Chain Attack

Hackers Exploit jscrambler in Supply Chain Attack

Posted on July 13, 2026 By CWS

A recent supply chain attack targeted the popular JavaScript protection tool, jscrambler, which sees over 15,800 downloads weekly. This attack involved malicious versions that deployed native malware across Linux, macOS, and Windows systems.

Discovery of Malicious Releases

The Socket Research Team was quick to identify the compromised release, [email protected], on July 11, 2026, just minutes after it went live. The malicious version featured an undocumented preinstall script that executed harmful code during the npm install process, without requiring any further action from the user.

The affected versions included 8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.0. Jscrambler confirmed that these unauthorized releases were uploaded using a stolen npm publishing credential. Subsequent actions included revocation of credentials and the release of a clean version 8.22.0.

Technical Breakdown of the Attack

Initially, the attackers embedded a preinstall hook to launch dist/setup.js. This loader fetched a binary container, dist/intro.js, and executed a payload based on the operating system, all without user interaction. The container included binaries for Linux, Windows, and macOS.

From version 8.18.0, the attackers modified their approach by embedding the loader directly into the main JavaScript files, allowing the malware to activate upon importing jscrambler or using its CLI, thus evading npm lifecycle script checks.

Implications and Recommendations

The malware aimed to extract valuable developer and cloud credentials, accessing browser data, cryptocurrency wallets, and several communication platforms. It also targeted cloud services such as AWS, Google Cloud, and Microsoft Azure, exploiting metadata endpoints and secret-management services.

Developers are urged to remove affected jscrambler versions and audit their npm installation logs. Rotating exposed credentials and upgrading to version 8.22.0 is strongly recommended. The event underscores the risks associated with stolen npm credentials, transforming trusted dependencies into avenues for credential theft.

To hinder analysis, the malware employed ChaCha20-Poly1305 encryption for configuration strings. Stolen data was likely uploaded through encrypted TLS connections via multipart HTTP requests.

This incident serves as a critical reminder of the importance of securing software supply chains and highlights the potential damage of credential theft within development environments.

Cyber Security News Tags:cloud credentials, developer security, Encryption, jscrambler, Linux, macOS, Malware, npm package, supply chain attack, Windows

Post navigation

Previous Post: Zimbra Addresses Critical Code Execution Flaw

Related Posts

CISA Releases 13 New Industrial Control Systems Surrounding Vulnerabilities and Exploits CISA Releases 13 New Industrial Control Systems Surrounding Vulnerabilities and Exploits Cyber Security News
CISOs Guide to Regulatory Compliance in Global Landscapes CISOs Guide to Regulatory Compliance in Global Landscapes Cyber Security News
Critical Linux Vulnerability Threatens System Security Critical Linux Vulnerability Threatens System Security Cyber Security News
Malicious AI Skills Evade Detection in Major Platforms Malicious AI Skills Evade Detection in Major Platforms Cyber Security News
Cisco Firewall Vulnerability Used for Ransomware Attacks Cisco Firewall Vulnerability Used for Ransomware Attacks Cyber Security News
TA4922 Cyber Group Expands Global Malware Campaigns TA4922 Cyber Group Expands Global Malware Campaigns Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Hackers Exploit jscrambler in Supply Chain Attack
  • Zimbra Addresses Critical Code Execution Flaw
  • Hackers Exploit Academic Events to Deploy RokRAT
  • Progress Urges ShareFile Shutdown Due to Security Risks
  • Major Microsoft 365 Phishing Operations Exposed by Server Error

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Hackers Exploit jscrambler in Supply Chain Attack
  • Zimbra Addresses Critical Code Execution Flaw
  • Hackers Exploit Academic Events to Deploy RokRAT
  • Progress Urges ShareFile Shutdown Due to Security Risks
  • Major Microsoft 365 Phishing Operations Exposed by Server Error

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark