A supply chain attack on the jscrambler npm package, a JavaScript code-protection tool with over 15,800 weekly downloads, involved malicious versions that silently deployed native malware on Linux, macOS, and Windows systems.
Socket Research Team detected the first malicious release, jscrambler@8.14.0, on July 11, 2026, only six minutes after publication.
The compromised release added an undocumented preinstall script, causing malicious code to execute automatically when a developer ran npm install. Victims did not need to import the package or run its command-line tool for the payload to launch.
The attack affected versions 8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.0. Jscrambler later confirmed that an attacker used an npm publishing credential to upload the unauthorized releases.
The company revoked and rotated publishing credentials, deprecated the affected versions, and released clean version 8.22.0.
Hackers Compromise jscrambler Package
In the early malicious releases, the attackers inserted a preinstall hook that launched dist/setup.js. This loader read a disguised binary container named dist/intro.js, selected a payload based on the victim’s operating system, and wrote it to a hidden temporary file.
It then started the executable in the background without displaying output or requiring user interaction. The container held three Rust-based binaries: a Linux ELF file, a Windows PE executable, and a macOS Apple Silicon Mach-O binary.
Starting with version 8.18.0, the attackers removed the install hook and injected the same loader into the package’s main JavaScript files.
This allowed the malware to run when an application imported jscrambler or when its CLI was executed, bypassing checks focused only on npm lifecycle scripts.
According to the Socket Research Team, the malware was designed to steal high-value developer and cloud credentials, targeting browser data, cryptocurrency wallets, Discord, Slack, Telegram, Steam sessions, cloud tokens, and local OS keyrings.
It also searched for configuration files used by AI coding tools, including Claude Desktop, Cursor, Windsurf, VS Code, Zed, and MCP server configurations, which can contain API keys and sensitive connection details.
The payload also attempted to access credentials for AWS, Google Cloud, and Microsoft Azure. It included references to cloud metadata endpoints, secret-management services, Kubernetes APIs, and deployment environments.
This poses a serious risk to software developers because build systems and CI pipelines often contain source code, signing keys, deployment tokens, and production credentials.
To slow analysis, the malware encrypted around configuration strings using ChaCha20-Poly1305 encryption. Researchers also identified network code that appeared to upload stolen data via encrypted TLS connections, using a multipart HTTP request to the/upload endpoint.
Organizations should immediately remove affected jscrambler versions, audit npm installation and CI logs, and rotate credentials exposed on impacted developer systems and build servers.
Users should upgrade to verified clean version 8.22.0 and review lockfiles for transitive references to compromised versions.
The incident highlights how a stolen npm publishing credential can turn a trusted developer dependency into an effective entry point for credential theft and cloud compromise.
Indicators of Compromise
IOC TypeIndicatorAffected Versionsjscrambler 8.14.0, 8.16.0, 8.17.0, 8.18.0, 8.20.0Patched Versionjscrambler 8.22.0Preinstall Hookpreinstall: node dist/setup.jsDropped Filesdist/setup.js, dist/intro.jsLoader SHA-256a742de963f14a92d24ebcbc7b44ac867e23a20d31d1b0094a13a4f83287f4e60Payload SHA-256a41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86package.json SHA-256bba32ddeab075a5e5015eec50f5d2af364c95b848732c714aea6b6baf78f49f0Linux ELF SHA-256fbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bdWindows PE SHA-256b7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903macOS Mach-O SHA-256c8fd47d36bdf7c825378593ab82ed8c24d1dc52e26b507812393e24e1d5201fdFile Signature1b 43 53 49 01 (\x1bCSI\x01)Execution ArtifactHidden temp executableProcess ArtifactDetached spawn() processNetwork IOCPOST /upload (multipart/form-data)Cloud Metadata169.254.169[.]254, 169.254.170[.]2, metadata.google.internalRecon Endpointscheck.torproject.org/api/ip, 1.1.1.1, 8.8.8.8
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
The post Hackers Compromised jscrambler With 15,800+ Weekly Downloads to Attack Developers appeared first on Cyber Security News.



