Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Compromised jscrambler npm Package Drops Infostealer

Compromised jscrambler npm Package Drops Infostealer

Posted on July 11, 2026 By CWS

The jscrambler npm package has been compromised, with its 8.14.0 release executing a Rust-based infostealer during installation. Released on July 11, 2026, this malicious version includes a preinstall hook that deploys a native binary compatible with Windows, macOS, and Linux systems.

Details of the Compromise

Within minutes of its release, Socket flagged the malicious package. If installed during this brief window, the payload would have already executed, utilizing the install process’s privileges. This issue does not exist in the previous 8.13.0 release. The package’s diff reveals two new files: setup.js and intro.js. Despite its name, intro.js is not JavaScript but a container with three compressed binaries for different operating systems.

Upon installation, setup.js selects the appropriate binary based on the host OS, writes it to the system’s temp directory, marks it as executable, and runs it silently. Notably, these files are absent from jscrambler’s public source, and no corresponding commits or tags exist for version 8.14.0 on its GitHub repository.

Implications for Developers

The Rust infostealer targets sensitive developer information, including cloud credentials, cryptocurrency wallets, and password manager data, as well as browser-stored cookies and session data from communication platforms. Additionally, it seeks configuration files for AI coding tools, such as Claude Desktop and VS Code, which may contain API keys.

The Linux variant of the payload can load an eBPF program directly into the kernel, offering a deeper level of system access compared to user space. The Windows and macOS versions implement anti-debugging measures and ensure persistence through scheduled tasks and LaunchAgents, respectively.

Preventive Measures and Next Steps

Users should transition from version 8.14.0 to 8.15.0 or revert to 8.13.0 to mitigate risks. It is crucial to inspect lockfiles and logs for any evidence of the compromised version’s installation. If found, assume all accessed secrets are compromised and take steps to rotate keys and revoke sessions.

Despite swift remediation efforts, the damage occurs swiftly upon installation. Users with older npm clients that automatically run install scripts remain vulnerable. It is essential to update to npm 12, which disables such scripts by default.

Indicators of compromise include specific SHA-256 hashes for the added files and network endpoints used by the malware. Security teams should monitor for these artifacts to enhance detection and response efforts.

The Hacker News Tags:AI tools security, build system security, CI/CD pipeline, cloud credentials, Cybersecurity, DevOps security, InfoStealer, jscrambler, malware detection, NPM, npm compromise, npm package security, Rust malware, software supply chain

Post navigation

Previous Post: Ghostcommit Exploit Hides Malicious Code in Images
Next Post: Espionage Campaigns Target Pakistani Police Portals

Related Posts

Unpatched Versa Concerto Flaws Let Attackers Escape Docker and Compromise Host Unpatched Versa Concerto Flaws Let Attackers Escape Docker and Compromise Host The Hacker News
GitHub Copilot Generates Harmful Code Despite Refusals GitHub Copilot Generates Harmful Code Despite Refusals The Hacker News
Researchers Warn of MystRodX Backdoor Using DNS and ICMP Triggers for Stealthy Control Researchers Warn of MystRodX Backdoor Using DNS and ICMP Triggers for Stealthy Control The Hacker News
Python-Based WhatsApp Worm Spreads Eternidade Stealer Across Brazilian Devices Python-Based WhatsApp Worm Spreads Eternidade Stealer Across Brazilian Devices The Hacker News
Critical Cisco Vulnerability Added to CISA’s Exploited List Critical Cisco Vulnerability Added to CISA’s Exploited List The Hacker News
Hackers Turn Velociraptor DFIR Tool Into Weapon in LockBit Ransomware Attacks Hackers Turn Velociraptor DFIR Tool Into Weapon in LockBit Ransomware Attacks The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Espionage Campaigns Target Pakistani Police Portals
  • Compromised jscrambler npm Package Drops Infostealer
  • Ghostcommit Exploit Hides Malicious Code in Images
  • Ghost Accounts Exploit GitHub API in Major Reconnaissance Effort
  • MacOS Screen Sharing Issue in Microsoft Teams

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Espionage Campaigns Target Pakistani Police Portals
  • Compromised jscrambler npm Package Drops Infostealer
  • Ghostcommit Exploit Hides Malicious Code in Images
  • Ghost Accounts Exploit GitHub API in Major Reconnaissance Effort
  • MacOS Screen Sharing Issue in Microsoft Teams

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark