jscrambler npm Package Compromised in Supply Chain Attack
The jscrambler npm package was compromised in a supply chain attack with malicious versions released on July 11, 2026. These versions (8.14.0, 8.16.0, 8.17.0, 8.18.0, 8.20.0) included a hidden preinstall hook that deployed obfuscated native binaries targeting Linux, macOS, and Windows. The payload is a Rust-based infostealer designed to extract sensitive data such as cryptocurrency wallets, AI coding assistants, cloud credentials, browser data, and messaging app information. The attacker used per-string ChaCha20-Poly1305 encryption for obfuscation and rapidly evolved the malicious releases to evade detection. Version 8.22.0 is confirmed clean. The package is widely used, with approximately 15,800 weekly downloads, impacting developer environments and CI pipelines with access to secrets.
AI Analysis
Technical Summary
A supply chain attack compromised the jscrambler npm package by publishing malicious versions that introduced an undocumented preinstall hook executing a setup script. This script deployed platform-specific native binaries embedded in an obfuscated container, which function as a Rust-built infostealer. The malware targets a broad range of sensitive information including cryptocurrency wallets, AI coding assistants, cloud service credentials (AWS, GCP, Azure), browser data, and messaging applications. The attacker released five malicious versions within a short timeframe, adapting delivery methods to avoid detection. The clean version 8.22.0 is available, indicating remediation through package updates. The attack affects developer workstations, continuous integration systems, and build pipelines that install the compromised package.
Potential Impact
The compromised jscrambler npm package versions enable automatic execution of malicious native binaries during installation, leading to theft of highly sensitive data such as cryptocurrency wallets, cloud credentials, browser data, and messaging app information. This threatens the confidentiality of developer environments and automated build systems that rely on this package, potentially exposing critical secrets and credentials to attackers. The supply chain nature of the attack increases risk due to the package's widespread use and trust in npm packages.
Mitigation Recommendations
Users and organizations should immediately upgrade to jscrambler version 8.22.0 or later, which is confirmed clean. Avoid using the compromised versions 8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.0. Review build and CI pipelines for any installations of these malicious versions and rotate any credentials or secrets that may have been exposed. Monitor for indicators of compromise using the provided hashes. Patch status is confirmed by the availability of a clean version (8.22.0).
Indicators of Compromise
- hash: a41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86
- hash: a742de963f14a92d24ebcbc7b44ac867e23a20d31d1b0094a13a4f83287f4e60
- hash: b7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903
- hash: bba32ddeab075a5e5015eec50f5d2af364c95b848732c714aea6b6baf78f49f0
- hash: c8fd47d36bdf7c825378593ab82ed8c24d1dc52e26b507812393e24e1d5201fd
- hash: fbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bd
jscrambler npm Package Compromised in Supply Chain Attack
Description
The jscrambler npm package was compromised in a supply chain attack with malicious versions released on July 11, 2026. These versions (8.14.0, 8.16.0, 8.17.0, 8.18.0, 8.20.0) included a hidden preinstall hook that deployed obfuscated native binaries targeting Linux, macOS, and Windows. The payload is a Rust-based infostealer designed to extract sensitive data such as cryptocurrency wallets, AI coding assistants, cloud credentials, browser data, and messaging app information. The attacker used per-string ChaCha20-Poly1305 encryption for obfuscation and rapidly evolved the malicious releases to evade detection. Version 8.22.0 is confirmed clean. The package is widely used, with approximately 15,800 weekly downloads, impacting developer environments and CI pipelines with access to secrets.
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
A supply chain attack compromised the jscrambler npm package by publishing malicious versions that introduced an undocumented preinstall hook executing a setup script. This script deployed platform-specific native binaries embedded in an obfuscated container, which function as a Rust-built infostealer. The malware targets a broad range of sensitive information including cryptocurrency wallets, AI coding assistants, cloud service credentials (AWS, GCP, Azure), browser data, and messaging applications. The attacker released five malicious versions within a short timeframe, adapting delivery methods to avoid detection. The clean version 8.22.0 is available, indicating remediation through package updates. The attack affects developer workstations, continuous integration systems, and build pipelines that install the compromised package.
Potential Impact
The compromised jscrambler npm package versions enable automatic execution of malicious native binaries during installation, leading to theft of highly sensitive data such as cryptocurrency wallets, cloud credentials, browser data, and messaging app information. This threatens the confidentiality of developer environments and automated build systems that rely on this package, potentially exposing critical secrets and credentials to attackers. The supply chain nature of the attack increases risk due to the package's widespread use and trust in npm packages.
Mitigation Recommendations
Users and organizations should immediately upgrade to jscrambler version 8.22.0 or later, which is confirmed clean. Avoid using the compromised versions 8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.0. Review build and CI pipelines for any installations of these malicious versions and rotate any credentials or secrets that may have been exposed. Monitor for indicators of compromise using the provided hashes. Patch status is confirmed by the availability of a clean version (8.22.0).
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://socket.dev/blog/jscrambler-supply-chain-attack"]
- Adversary
- null
- Pulse Id
- 6a52d7f22883fcd1f11046c2
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hasha41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86 | — | |
hasha742de963f14a92d24ebcbc7b44ac867e23a20d31d1b0094a13a4f83287f4e60 | — | |
hashb7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903 | — | |
hashbba32ddeab075a5e5015eec50f5d2af364c95b848732c714aea6b6baf78f49f0 | — | |
hashc8fd47d36bdf7c825378593ab82ed8c24d1dc52e26b507812393e24e1d5201fd | — | |
hashfbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bd | — |
Threat ID: 6a54bece68715ace43aa4061
Added to database: 07/13/2026, 10:32:46 UTC
Last enriched: 07/13/2026, 10:49:18 UTC
Last updated: 07/14/2026, 02:31:55 UTC
Views: 56
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.