Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical WordPress Plugin Bug Lets Attackers Control Websites
July 13, 2026
Armored Likho APT deploys BusySnake stealer with AI-generated loaders
July 13, 2026
VEXAIoT Multi-Agent System Automates IoT Reconnaissance and Exploit Execution
July 13, 2026
Home/CyberSecurity News/Critical jscrambler Supply Chain Attack Targets Developers
CyberSecurity News

Critical jscrambler Supply Chain Attack Targets Developers

Key Takeaways A sophisticated supply chain attack targeted the jscrambler npm package, injecting malicious code into multiple versions. The compromised versions deployed native malware capable of...

Jennifer sherman
Jennifer sherman
July 13, 2026 4 Min Read
4 0

Key Takeaways

  • A sophisticated supply chain attack targeted the jscrambler npm package, injecting malicious code into multiple versions.
  • The compromised versions deployed native malware capable of stealing sensitive developer and cloud credentials across Linux, macOS, and Windows systems.
  • The attack leveraged a stolen npm publishing credential, affecting versions 8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.0.
  • A fix is available: users should upgrade to the clean jscrambler version 8.22.0, audit systems, and rotate exposed credentials.

Critical Supply Chain Attack Hits jscrambler npm Package, Deploying Credential-Stealing Malware

Developers relying on the jscrambler npm package, a popular JavaScript code protection tool with over 15,800 weekly downloads, have been exposed to a critical supply chain attack. Malicious versions of the package were found to silently deploy native malware on Linux, macOS, and Windows operating systems, posing a significant threat to development environments and cloud infrastructure.

Table Of Content

  • Key Takeaways
  • Critical Supply Chain Attack Hits jscrambler npm Package, Deploying Credential-Stealing Malware
  • Attack Vector and Malware Deployment
  • Targeted Data and Cloud Compromise
  • Remediation and Indicators of Compromise
  • What You Should Do

The initial malicious release, identified as [email protected], was detected by the Socket Research Team on July 11, 2026, merely six minutes after its publication. Subsequent compromised versions included 8.16.0, 8.17.0, 8.18.0, and 8.20.0.

Attack Vector and Malware Deployment

The attackers exploited a stolen npm publishing credential to upload unauthorized releases of the jscrambler package. In the early stages of the attack, the malicious versions incorporated an undocumented preinstall script. This script automatically executed malicious code when a developer ran npm install, meaning victims did not need to explicitly import the package or use its command-line interface for the payload to launch.

These initial malicious releases embedded a preinstall hook that initiated dist/setup.js. This loader then read a cleverly disguised binary container, dist/intro.js, which contained three Rust-based binaries: a Linux ELF file, a Windows PE executable, and a macOS Apple Silicon Mach-O binary. The loader selected the appropriate payload based on the victim’s operating system, wrote it to a hidden temporary file, and launched the executable in the background without any visible output or requiring user interaction.

Beginning with version 8.18.0, the attackers modified their technique. They removed the explicit install hook and instead injected the same loader directly into the package’s main JavaScript files. This strategic change allowed the malware to execute whenever an application imported jscrambler or its CLI was invoked, thereby circumventing security checks that focused solely on npm lifecycle scripts.

Targeted Data and Cloud Compromise

The malware was meticulously designed to exfiltrate high-value developer and cloud credentials. According to the Socket Research Team, the malicious payload specifically targeted browser data, cryptocurrency wallets, and session information from applications like Discord, Slack, Telegram, and Steam. It also sought cloud tokens and local operating system keyrings.

A particularly concerning aspect of this attack is its focus on developer tools and cloud environments. The malware actively searched for configuration files associated with AI coding tools such as Claude Desktop, Cursor, Windsurf, VS Code, and Zed, as well as MCP server configurations. These files frequently contain sensitive API keys and connection details that could grant attackers deeper access.

Furthermore, the payload attempted to access credentials for major cloud providers, including Amazon Web Services (AWS), Google Cloud, and Microsoft Azure. It contained references to cloud metadata endpoints, secret-management services, Kubernetes APIs, and various deployment environments. This poses an extreme risk, as build systems and CI pipelines often house critical assets like source code, signing keys, deployment tokens, and production credentials, making them prime targets for compromise.

To hinder analysis, the malware encrypted its configuration strings using ChaCha20-Poly1305 encryption. Researchers also observed network code indicating that stolen data was uploaded via encrypted TLS connections, utilizing a multipart HTTP request to a /upload endpoint.

Remediation and Indicators of Compromise

Jscrambler has confirmed that an attacker utilized an npm publishing credential to upload these unauthorized releases. In response, the company has revoked and rotated its publishing credentials, deprecated the affected versions, and released a verified clean version 8.22.0.

This incident underscores the severe implications of compromised npm publishing credentials, transforming a trusted developer dependency into a potent entry point for widespread credential theft and potential cloud compromise.

Indicators of Compromise

IOC Type Indicator
Affected Versions jscrambler 8.14.0, 8.16.0, 8.17.0, 8.18.0, 8.20.0
Patched Version jscrambler 8.22.0
Preinstall Hook preinstall: node dist/setup.js
Dropped Files dist/setup.js, dist/intro.js
Loader SHA-256 a742de963f14a92d24ebcbc7b44ac867e23a20d31d1b0094a13a4f83287f4e60
Payload SHA-256 a41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86
package.json SHA-256 bba32ddeab075a5e5015eec50f5d2af364c95b848732c714aea6b6baf78f49f0
Linux ELF SHA-256 fbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bd
Windows PE SHA-256 b7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903
macOS Mach-O SHA-256 c8fd47d36bdf7c825378593ab82ed8c24d1dc52e26b507812393e24e1d5201fd
File Signature 1b 43 53 49 01 (x1bCSIx01)
Execution Artifact Hidden temp executable
Process Artifact Detached spawn() process
Network IOC POST /upload (multipart/form-data)
Cloud Metadata 169.254.169[.]254, 169.254.170[.]2, metadata.google.internal
Recon Endpoints check.torproject.org/api/ip, 1.1.1.1, 8.8.8.8

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

What You Should Do

  • Immediately Remove Affected Versions: Organizations must uninstall all affected jscrambler versions (8.14.0, 8.16.0, 8.17.0, 8.18.0, 8.20.0) from all development systems and build environments.
  • Upgrade to Clean Version: Update to the verified clean jscrambler version 8.22.0 without delay.
  • Audit npm Installation and CI Logs: Thoroughly review npm installation logs and Continuous Integration (CI) pipeline logs for any signs of compromise or execution of the malicious scripts.
  • Review Lockfiles: Examine package-lock.json or yarn.lock files for any transitive dependencies on the compromised jscrambler versions.
  • Rotate Credentials: Urgently rotate all credentials that may have been exposed on impacted developer systems and build servers, including browser data, cryptocurrency wallets, Discord/Slack/Telegram/Steam sessions, cloud tokens (AWS, Google Cloud, Azure), local OS keyrings, and API keys from AI coding tools.
  • Enhance Supply Chain Security: Implement stricter controls and monitoring for npm package usage, including integrity checks and a robust software supply chain security strategy.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwarePatchThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Misconfigured Python HTTP Server CVE-2024-XXXX Exposes Three Active Attack Campaigns

Next Post

Anthropic Extends Claude 3.5 Sonnet Access for Developers

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical jscrambler Supply Chain Attack Targets Developers
July 13, 2026
Misconfigured Python HTTP Server CVE-2024-XXXX Exposes Three Active Attack Campaigns
July 13, 2026
RokRAT Malware Targets Researchers With Fake Academic Event Materials
July 13, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us