jscrambler npm Package Compromised in Supply Chain Attack
Essential information
- Published
- 12/07/2026 01:55
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- infostealer npm compromise supply chain attack
- Related entities
- 6 indicators, 20 techniques (mitre)
Description
A malicious release of the jscrambler npm package (version 8.14.0) was published on July 11, 2026, introducing hidden native binaries that execute automatically during installation. The compromised package added an undocumented preinstall hook executing dist/setup.js, which deploys platform-specific binaries for Linux, macOS, and Windows embedded in an obfuscated CSI container. The payload is a Rust-built infostealer targeting cryptocurrency wallets, AI coding assistants, cloud credentials (AWS, GCP, Azure), browser data, and messaging applications. String obfuscation uses per-string ChaCha20-Poly1305 encryption. The threat actor published five malicious versions (8.14.0, 8.16.0, 8.17.0, 8.18.0, 8.20.0) over three hours, evolving delivery methods to evade detection. Version 8.22.0 is confirmed clean. The package receives approximately 15,800 weekly downloads, affecting developer workstations, CI systems, and build pipelines with access to credentials and secrets.