A recent supply chain attack targeted the popular JavaScript protection tool, jscrambler, which sees over 15,800 downloads weekly. This attack involved malicious versions that deployed native malware across Linux, macOS, and Windows systems.
Discovery of Malicious Releases
The Socket Research Team was quick to identify the compromised release, [email protected], on July 11, 2026, just minutes after it went live. The malicious version featured an undocumented preinstall script that executed harmful code during the npm install process, without requiring any further action from the user.
The affected versions included 8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.0. Jscrambler confirmed that these unauthorized releases were uploaded using a stolen npm publishing credential. Subsequent actions included revocation of credentials and the release of a clean version 8.22.0.
Technical Breakdown of the Attack
Initially, the attackers embedded a preinstall hook to launch dist/setup.js. This loader fetched a binary container, dist/intro.js, and executed a payload based on the operating system, all without user interaction. The container included binaries for Linux, Windows, and macOS.
From version 8.18.0, the attackers modified their approach by embedding the loader directly into the main JavaScript files, allowing the malware to activate upon importing jscrambler or using its CLI, thus evading npm lifecycle script checks.
Implications and Recommendations
The malware aimed to extract valuable developer and cloud credentials, accessing browser data, cryptocurrency wallets, and several communication platforms. It also targeted cloud services such as AWS, Google Cloud, and Microsoft Azure, exploiting metadata endpoints and secret-management services.
Developers are urged to remove affected jscrambler versions and audit their npm installation logs. Rotating exposed credentials and upgrading to version 8.22.0 is strongly recommended. The event underscores the risks associated with stolen npm credentials, transforming trusted dependencies into avenues for credential theft.
To hinder analysis, the malware employed ChaCha20-Poly1305 encryption for configuration strings. Stolen data was likely uploaded through encrypted TLS connections via multipart HTTP requests.
This incident serves as a critical reminder of the importance of securing software supply chains and highlights the potential damage of credential theft within development environments.
