216.73.217.19

jscrambler npm Package Compromised in Supply Chain Attack

· Published 12/07/2026 01:55

Export JSON

Essential information

Published
12/07/2026 01:55
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
infostealer npm compromise supply chain attack
Related entities
6 indicators, 20 techniques (mitre)

Description

A malicious release of the jscrambler npm package (version 8.14.0) was published on July 11, 2026, introducing hidden native binaries that execute automatically during installation. The compromised package added an undocumented preinstall hook executing dist/setup.js, which deploys platform-specific binaries for Linux, macOS, and Windows embedded in an obfuscated CSI container. The payload is a Rust-built targeting cryptocurrency wallets, AI coding assistants, cloud credentials (AWS, GCP, Azure), browser data, and messaging applications. String obfuscation uses per-string ChaCha20-Poly1305 encryption. The threat actor published five malicious versions (8.14.0, 8.16.0, 8.17.0, 8.18.0, 8.20.0) over three hours, evolving delivery methods to evade detection. Version 8.22.0 is confirmed clean. The package receives approximately 15,800 weekly downloads, affecting developer workstations, CI systems, and build pipelines with access to credentials and secrets.

External references