Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

jscrambler npm Package Compromised in Supply Chain Attack

0
Medium
Published: 07/11/2026 (07/11/2026, 23:55:30 UTC)
Source: AlienVault OTX General

Description

The jscrambler npm package was compromised in a supply chain attack with malicious versions released on July 11, 2026. These versions (8.14.0, 8.16.0, 8.17.0, 8.18.0, 8.20.0) included a hidden preinstall hook that deployed obfuscated native binaries targeting Linux, macOS, and Windows. The payload is a Rust-based infostealer designed to extract sensitive data such as cryptocurrency wallets, AI coding assistants, cloud credentials, browser data, and messaging app information. The attacker used per-string ChaCha20-Poly1305 encryption for obfuscation and rapidly evolved the malicious releases to evade detection. Version 8.22.0 is confirmed clean. The package is widely used, with approximately 15,800 weekly downloads, impacting developer environments and CI pipelines with access to secrets.

Affected software

Affected versions
=8.14.0=8.16.0=8.17.0=8.18.0=8.20.0

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/13/2026, 10:49:18 UTC

Technical Analysis

A supply chain attack compromised the jscrambler npm package by publishing malicious versions that introduced an undocumented preinstall hook executing a setup script. This script deployed platform-specific native binaries embedded in an obfuscated container, which function as a Rust-built infostealer. The malware targets a broad range of sensitive information including cryptocurrency wallets, AI coding assistants, cloud service credentials (AWS, GCP, Azure), browser data, and messaging applications. The attacker released five malicious versions within a short timeframe, adapting delivery methods to avoid detection. The clean version 8.22.0 is available, indicating remediation through package updates. The attack affects developer workstations, continuous integration systems, and build pipelines that install the compromised package.

Potential Impact

The compromised jscrambler npm package versions enable automatic execution of malicious native binaries during installation, leading to theft of highly sensitive data such as cryptocurrency wallets, cloud credentials, browser data, and messaging app information. This threatens the confidentiality of developer environments and automated build systems that rely on this package, potentially exposing critical secrets and credentials to attackers. The supply chain nature of the attack increases risk due to the package's widespread use and trust in npm packages.

Mitigation Recommendations

Users and organizations should immediately upgrade to jscrambler version 8.22.0 or later, which is confirmed clean. Avoid using the compromised versions 8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.0. Review build and CI pipelines for any installations of these malicious versions and rotate any credentials or secrets that may have been exposed. Monitor for indicators of compromise using the provided hashes. Patch status is confirmed by the availability of a clean version (8.22.0).

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://socket.dev/blog/jscrambler-supply-chain-attack"]
Adversary
null
Pulse Id
6a52d7f22883fcd1f11046c2
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hasha41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86
hasha742de963f14a92d24ebcbc7b44ac867e23a20d31d1b0094a13a4f83287f4e60
hashb7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903
hashbba32ddeab075a5e5015eec50f5d2af364c95b848732c714aea6b6baf78f49f0
hashc8fd47d36bdf7c825378593ab82ed8c24d1dc52e26b507812393e24e1d5201fd
hashfbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bd

Threat ID: 6a54bece68715ace43aa4061

Added to database: 07/13/2026, 10:32:46 UTC

Last enriched: 07/13/2026, 10:49:18 UTC

Last updated: 07/14/2026, 02:31:55 UTC

Views: 56

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses