The npm package jscrambler was compromised through malicious version 8.14.0, which added an undocumented preinstall hook and install-time files that executed hidden native binaries on Windows, macOS, and Linux during npm install, before application code ran. Researchers said the release appeared to be published directly to npm from a legitimate maintainer account without matching source repository commits or tags, pointing to a likely compromise of the maintainer account or build pipeline. Socket reported detecting the release within minutes of publication and alerted the maintainers, while a subsequent 8.15.0 release appeared clean.
Further analysis linked the package to a Rust-based infostealer aimed at developer workstations and CI/build environments, creating exposure for source code, environment variables, build credentials, deployment tokens, and other secrets. Reported targets included cloud credentials, browser data, messaging sessions, cryptocurrency wallets, Bitwarden vault contents, and configuration files for AI coding tools such as Claude Desktop, Cursor, Windsurf, VS Code, and Zed. Researchers also observed anti-debugging on Windows and macOS, Linux eBPF capability, persistence through Windows scheduled tasks and macOS LaunchAgents, and encrypted command-and-control details; because 8.14.0 remained available on npm, pinned installs on older npm clients that still run install scripts could continue to trigger the payload.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Reporting identified further compromised jscrambler npm releases—8.16.0, 8.17.0, 8.18.0, and 8.20.0—after the initial 8.14.0 incident. These later versions reportedly shifted the malware from an install-time hook into the CLI execution path, continuing delivery of a cross-platform Rust-based infostealer.
Version 8.15.0 was released as a replacement for the compromised 8.14.0 package and was reported to appear clean. However, the malicious 8.14.0 version remained available on npm, leaving pinned installs and older npm clients at risk if they still executed install scripts.
Socket detected the malicious jscrambler 8.14.0 release six minutes after it was published and reported the issue to the package maintainers. The detection identified the new install-time behavior as a supply-chain compromise affecting developer workstations and CI/build environments.
A compromised version of the npm package jscrambler, 8.14.0, was published to npm with an undocumented preinstall hook and install-time files that executed hidden native binaries on Windows, macOS, and Linux. Reporting indicates the release was likely pushed from a legitimate maintainer account without matching source repository commits or tags.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
trojan-killer.net
Open sourcethehackernews.com
Open sourcesocket.dev
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.