Critical jscrambler Supply Chain Attack Targets Developers
Key Takeaways A sophisticated supply chain attack targeted the jscrambler npm package, injecting malicious code into multiple versions. The compromised versions deployed native malware capable of...
Key Takeaways
- A sophisticated supply chain attack targeted the
jscramblernpm package, injecting malicious code into multiple versions. - The compromised versions deployed native malware capable of stealing sensitive developer and cloud credentials across Linux, macOS, and Windows systems.
- The attack leveraged a stolen npm publishing credential, affecting versions 8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.0.
- A fix is available: users should upgrade to the clean
jscramblerversion 8.22.0, audit systems, and rotate exposed credentials.
Critical Supply Chain Attack Hits jscrambler npm Package, Deploying Credential-Stealing Malware
Developers relying on the jscrambler npm package, a popular JavaScript code protection tool with over 15,800 weekly downloads, have been exposed to a critical supply chain attack. Malicious versions of the package were found to silently deploy native malware on Linux, macOS, and Windows operating systems, posing a significant threat to development environments and cloud infrastructure.
Table Of Content
The initial malicious release, identified as [email protected], was detected by the Socket Research Team on July 11, 2026, merely six minutes after its publication. Subsequent compromised versions included 8.16.0, 8.17.0, 8.18.0, and 8.20.0.
Attack Vector and Malware Deployment
The attackers exploited a stolen npm publishing credential to upload unauthorized releases of the jscrambler package. In the early stages of the attack, the malicious versions incorporated an undocumented preinstall script. This script automatically executed malicious code when a developer ran npm install, meaning victims did not need to explicitly import the package or use its command-line interface for the payload to launch.
These initial malicious releases embedded a preinstall hook that initiated dist/setup.js. This loader then read a cleverly disguised binary container, dist/intro.js, which contained three Rust-based binaries: a Linux ELF file, a Windows PE executable, and a macOS Apple Silicon Mach-O binary. The loader selected the appropriate payload based on the victim’s operating system, wrote it to a hidden temporary file, and launched the executable in the background without any visible output or requiring user interaction.
Beginning with version 8.18.0, the attackers modified their technique. They removed the explicit install hook and instead injected the same loader directly into the package’s main JavaScript files. This strategic change allowed the malware to execute whenever an application imported jscrambler or its CLI was invoked, thereby circumventing security checks that focused solely on npm lifecycle scripts.
Targeted Data and Cloud Compromise
The malware was meticulously designed to exfiltrate high-value developer and cloud credentials. According to the Socket Research Team, the malicious payload specifically targeted browser data, cryptocurrency wallets, and session information from applications like Discord, Slack, Telegram, and Steam. It also sought cloud tokens and local operating system keyrings.
A particularly concerning aspect of this attack is its focus on developer tools and cloud environments. The malware actively searched for configuration files associated with AI coding tools such as Claude Desktop, Cursor, Windsurf, VS Code, and Zed, as well as MCP server configurations. These files frequently contain sensitive API keys and connection details that could grant attackers deeper access.
Furthermore, the payload attempted to access credentials for major cloud providers, including Amazon Web Services (AWS), Google Cloud, and Microsoft Azure. It contained references to cloud metadata endpoints, secret-management services, Kubernetes APIs, and various deployment environments. This poses an extreme risk, as build systems and CI pipelines often house critical assets like source code, signing keys, deployment tokens, and production credentials, making them prime targets for compromise.
To hinder analysis, the malware encrypted its configuration strings using ChaCha20-Poly1305 encryption. Researchers also observed network code indicating that stolen data was uploaded via encrypted TLS connections, utilizing a multipart HTTP request to a /upload endpoint.
Remediation and Indicators of Compromise
Jscrambler has confirmed that an attacker utilized an npm publishing credential to upload these unauthorized releases. In response, the company has revoked and rotated its publishing credentials, deprecated the affected versions, and released a verified clean version 8.22.0.
This incident underscores the severe implications of compromised npm publishing credentials, transforming a trusted developer dependency into a potent entry point for widespread credential theft and potential cloud compromise.
Indicators of Compromise
| IOC Type | Indicator |
|---|---|
| Affected Versions | jscrambler 8.14.0, 8.16.0, 8.17.0, 8.18.0, 8.20.0 |
| Patched Version | jscrambler 8.22.0 |
| Preinstall Hook | preinstall: node dist/setup.js |
| Dropped Files | dist/setup.js, dist/intro.js |
| Loader SHA-256 | a742de963f14a92d24ebcbc7b44ac867e23a20d31d1b0094a13a4f83287f4e60 |
| Payload SHA-256 | a41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86 |
| package.json SHA-256 | bba32ddeab075a5e5015eec50f5d2af364c95b848732c714aea6b6baf78f49f0 |
| Linux ELF SHA-256 | fbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bd |
| Windows PE SHA-256 | b7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903 |
| macOS Mach-O SHA-256 | c8fd47d36bdf7c825378593ab82ed8c24d1dc52e26b507812393e24e1d5201fd |
| File Signature | 1b 43 53 49 01 (x1bCSIx01) |
| Execution Artifact | Hidden temp executable |
| Process Artifact | Detached spawn() process |
| Network IOC | POST /upload (multipart/form-data) |
| Cloud Metadata | 169.254.169[.]254, 169.254.170, metadata.google.internal |
| Recon Endpoints | check.torproject.org/api/ip, 1.1.1.1, 8.8.8.8 |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
What You Should Do
- Immediately Remove Affected Versions: Organizations must uninstall all affected
jscramblerversions (8.14.0, 8.16.0, 8.17.0, 8.18.0, 8.20.0) from all development systems and build environments. - Upgrade to Clean Version: Update to the verified clean
jscramblerversion 8.22.0 without delay. - Audit npm Installation and CI Logs: Thoroughly review npm installation logs and Continuous Integration (CI) pipeline logs for any signs of compromise or execution of the malicious scripts.
- Review Lockfiles: Examine
package-lock.jsonoryarn.lockfiles for any transitive dependencies on the compromisedjscramblerversions. - Rotate Credentials: Urgently rotate all credentials that may have been exposed on impacted developer systems and build servers, including browser data, cryptocurrency wallets, Discord/Slack/Telegram/Steam sessions, cloud tokens (AWS, Google Cloud, Azure), local OS keyrings, and API keys from AI coding tools.
- Enhance Supply Chain Security: Implement stricter controls and monitoring for npm package usage, including integrity checks and a robust software supply chain security strategy.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.