The jscrambler npm package has been compromised, with its 8.14.0 release executing a Rust-based infostealer during installation. Released on July 11, 2026, this malicious version includes a preinstall hook that deploys a native binary compatible with Windows, macOS, and Linux systems.
Details of the Compromise
Within minutes of its release, Socket flagged the malicious package. If installed during this brief window, the payload would have already executed, utilizing the install process’s privileges. This issue does not exist in the previous 8.13.0 release. The package’s diff reveals two new files: setup.js and intro.js. Despite its name, intro.js is not JavaScript but a container with three compressed binaries for different operating systems.
Upon installation, setup.js selects the appropriate binary based on the host OS, writes it to the system’s temp directory, marks it as executable, and runs it silently. Notably, these files are absent from jscrambler’s public source, and no corresponding commits or tags exist for version 8.14.0 on its GitHub repository.
Implications for Developers
The Rust infostealer targets sensitive developer information, including cloud credentials, cryptocurrency wallets, and password manager data, as well as browser-stored cookies and session data from communication platforms. Additionally, it seeks configuration files for AI coding tools, such as Claude Desktop and VS Code, which may contain API keys.
The Linux variant of the payload can load an eBPF program directly into the kernel, offering a deeper level of system access compared to user space. The Windows and macOS versions implement anti-debugging measures and ensure persistence through scheduled tasks and LaunchAgents, respectively.
Preventive Measures and Next Steps
Users should transition from version 8.14.0 to 8.15.0 or revert to 8.13.0 to mitigate risks. It is crucial to inspect lockfiles and logs for any evidence of the compromised version’s installation. If found, assume all accessed secrets are compromised and take steps to rotate keys and revoke sessions.
Despite swift remediation efforts, the damage occurs swiftly upon installation. Users with older npm clients that automatically run install scripts remain vulnerable. It is essential to update to npm 12, which disables such scripts by default.
Indicators of compromise include specific SHA-256 hashes for the added files and network endpoints used by the malware. Security teams should monitor for these artifacts to enhance detection and response efforts.
