The popular jscrambler npm package was compromised in its 8.14.0 release, which included a malicious preinstall hook that deployed a Rust-based infostealer. Released on July 11, 2026, this version targeted developers by executing a binary specific to the host's operating system—Windows, macOS, or Linux—during installation. The infostealer was designed to extract sensitive information such as cloud credentials, cryptocurrency wallets, and configuration files for AI coding tools. This breach was identified by Socket only six minutes after its release, but any installation within that timeframe likely executed the malicious code.
The malicious files included setup.js and intro.js in the package's distribution, with the latter containing a container for the executable binaries. These binaries were not present in the previous version, 8.13.0, and were not associated with any public commit or pull request in the jscrambler GitHub repository. The compromised release was pushed directly to npm under a legitimate maintainer's account, suggesting a breach in the account or build pipeline.
The Rust infostealer was sophisticated, incorporating features like kernel-level access on Linux via eBPF programs and persistent execution mechanisms on Windows and macOS. The infostealer communicated with hard-coded IP addresses and utilized Tor for network communication, making it difficult to detect and analyze.
Subsequent updates, including versions 8.16.0, 8.17.0, 8.18.0, and 8.20.0, were also compromised, each carrying the infostealer but varying in their methods of deployment. Jscrambler has since taken corrective measures, publishing version 8.22.0 as a clean update and revoking compromised credentials. They advise users to upgrade and perform a thorough security audit of any systems that may have installed the affected versions.


