The jscrambler npm package was compromised, with the release of version 8.14.0 containing a malicious payload that executes an infostealer during installation. This incident was reported on July 11, 2026, shortly after the compromised version was published.
Details of the Compromise
The malicious release includes a preinstall hook that drops and executes a native binary tailored for Windows, macOS, and Linux systems. The malicious version was flagged by Socket just six minutes after its publication. Notably, this compromised version does not exist in the previous release, 8.13.0.
Upon installation, the new files setup.js and intro.js are introduced. Contrary to its name, intro.js is not JavaScript; it is a container that includes three gzip-compressed binaries for the aforementioned operating systems. The setup.js script selects the appropriate binary for the host OS, executes it, and hides its output.
Payload and Impact
The payload is identified as a Rust infostealer that targets a wide range of sensitive information from developer machines, including cloud credentials from AWS, Azure, and Google Cloud, cryptocurrency wallets, and various session tokens from applications like Discord and Slack. It also seeks configuration files for AI coding tools, which may contain API keys.
Additionally, the Linux payload has the capability to link to the kernel’s BPF library, potentially allowing it to load an eBPF program directly into the kernel. This raises concerns about the extent of access the malware could achieve.
Current Status and Recommendations
As of now, the compromised version 8.14.0 remains available on npm, despite the release of version 8.15.0, which does not contain the malicious elements. Users are advised to remove jscrambler@8.14.0 from their systems and replace it with 8.15.0 or revert to 8.13.0.
Developers should review their package-manager logs and CI records for any installations of jscrambler@8.14.0 and check for any signs of the malicious payload. If the compromised version was executed, all sensitive information accessed by the malware should be considered compromised.
Indicators of Compromise
The malicious package is identified as jscrambler@8.14.0. The SHA-256 hashes for the added files and their payloads are as follows:
dist/setup.js: a742de963f14a92d24ebcbc7b44ac867e23a20d31d1b0094a13a4f83287f4e60
dist/intro.js: a41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86
Network indicators include two command-and-control IP addresses: 37.27.122[.]124 and 57.128.246[.]79, along with connections to Tor infrastructure.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.








