Compromised jscrambler 8.14.0 npm Release Contains Malicious Infostealer
Version 8.14.0 of the jscrambler npm package, released on July 11, 2026, contains a malicious preinstall hook that silently installs and runs an infostealer on Windows, macOS, and Linux systems. The malware executes automatically during installation, requiring no user interaction or additional commands.
Key Details of the Attack
- Detection: The compromised release was flagged by Socket six minutes after publication. If installed within this window, the payload likely executed with the permissions of the install process.
- Payload Mechanism: The package includes two new files:
setup.js, a loader, andintro.js, a 7.8MB container with gzip-compressed native binaries for Linux, Windows, and macOS. During installation,setup.jsselects the appropriate binary for the host OS, writes it to the system temp directory, marks it executable, and launches it. - Targets: The infostealer targets developer secrets, including cloud credentials (AWS, Azure, Google Cloud), cryptocurrency wallets (MetaMask, Phantom, Exodus), password managers (Bitwarden), browser-stored passwords, and AI coding tool config files.
- Advanced Capabilities: On Linux, the malware leverages the kernel's BPF library to load an eBPF program, potentially gaining kernel-level access. The Windows and macOS builds include anti-debugging checks and persistence mechanisms.
Impact and Scope
The jscrambler package sees approximately 15,800 downloads per week. While this is significantly smaller than other recent npm compromises, the attack targets high-value developer environments, making reach less critical than the access it provides.
This incident aligns with a recent trend of npm supply chain attacks, including the Shai-Hulud worm in September 2025 and the hijacking of the Axios HTTP library in March 2026. Notably, npm recently released version 12 on July 8, which disables dependency install scripts by default, mitigating the risk of such attacks for updated clients.
Response and Mitigation
- Version Replacement: Version 8.15.0 has replaced the compromised release, published from the same maintainer account, and shows no signs of malware. However, version 8.14.0 remains available on npm, posing a risk to systems pinned to this version.
- Recommendations:
- Upgrade to version 8.15.0 or revert to 8.13.0.
- Check for installations of 8.14.0 in lockfiles, package-manager logs, and CI records.
- Rotate compromised secrets, including cloud keys, npm tokens, and API keys.
- Block the identified command-and-control IPs and inspect systems for hidden tasks or persistence mechanisms.
Indicators of Compromise
- Malicious Package: jscrambler@8.14.0
- SHA-256 Hashes:
dist/setup.js:a742de963f14a92d24ebcbc7b44ac867e23a20d31d1b0094a13a4f83287f4e60dist/intro.js:a41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86- Linux Payload:
fbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bd - Windows Payload:
b7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903 - macOS Payload:
c8fd47d36bdf7c825378593ab82ed8c24d1dc52e26b507812393e24e1d5201fd
- Network Endpoints:
- C2 IP:
37.27.122.124 - C2 IP:
57.128.246.79 - Tor Infrastructure:
check.torproject.org,archive.torproject.org
- C2 IP:
This attack underscores the ongoing threat to developer environments and the need for vigilance in securing build pipelines and dependencies.