MAL-2026-10187: Malicious code in jscrambler (npm)
Supply-chain compromise of the official jscrambler npm client, a legitimate JavaScript obfuscation tool with roughly 60K downloads per month. Version 8.14.0 was published from the legitimate publisher account (jscrambler_ / [email protected]), which points to an account or CI compromise rather than a typosquat. Compared to the clean 8.13.0, version 8.14.0 adds a new preinstall hook (node dist/setup.js) and a new 7.5MB dist/intro.js file (entropy 8.00) that is a custom-packed, multi-platform binary container (magic bytes 1b435349 01); both are absent in 8.13.0. At install time, setup.js gunzips the platform-matched payload from intro.js, writes it to a randomly named file under the OS temp directory with the executable bit set (0o755, or a .exe extension on Windows built via String.fromCharCode), then spawns it detached with unref and windowsHide while swallowing all errors. The result is a silent, install-time native-binary dropper. Multiple releases are compromised (8.14.0, 8.16.0, 8.17.0, 8.18.0, 8.20.0); the mechanism above was analyzed on 8.14.0. Version 8.13.0 is clean. --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (afb577cf150e98ebfe551df006c555204f327432baa3789473981888761a8677) The package's main entry (dist/index.js) contains a top-level IIFE that runs on every require('jscrambler'). It reads a bundled 7.8 MB sibling file dist/intro.js, validates a custom container header (0x1b 0x43 0x53 0x49 0x01), selects a platform-specific gzip section (linux/win32/darwin), writes the decompressed bytes to os.tmpdir() under a hidden random dot-file name with mode 0755, and spawns the binary detached with stdio ignored and windowsHide, then unrefs the child. Errors are swallowed. The bundled payload dist/intro.js is not JavaScript: it uses a custom multi-platform container and contains strings characteristic of a cryptocurrency-wallet seed-phrase harvester and a browser-session stealer, including the BIP-39 English wordlist marker (bip39_english) and Chromium/BoringSSL TLS internals (ResumptionAttemptedWithVariedEms). Neither README nor CHANGELOG documents any native runtime component, and the CHANGELOG has no entries past 8.13.0. The wrapper's shape (custom magic header, hidden tmp filename, detached spawn, error-swallowed try/catch, undocumented payload) is inconsistent with the package's advertised CLI/API-client purpose and matches a malicious release / account-takeover pattern targeting installer wallets and browser sessions.
AI Analysis
Technical Summary
The jscrambler npm package's main entry point (dist/index.js) includes a top-level immediately-invoked function expression (IIFE) that runs on every require call. It reads a large bundled file (dist/intro.js) containing a custom multi-platform container with a specific header. The code decompresses a platform-specific gzip section and writes the binary to a hidden temporary file with executable permissions. It then spawns this binary in a detached process with no standard IO and hides the window on Windows. The payload includes strings related to cryptocurrency wallet seed phrase harvesting (BIP-39 English wordlist) and browser session stealing (Chromium/BoringSSL TLS internals). These behaviors are undocumented in the package's README and changelog, which show no updates past version 8.13.0, suggesting a malicious release or account takeover targeting wallet installers and browser sessions.
Potential Impact
Affected versions of the jscrambler package execute a hidden native binary that can harvest sensitive cryptocurrency wallet seed phrases and steal browser session data. This compromises user credentials and potentially leads to theft of cryptocurrency assets and session hijacking. The malicious code runs silently without user awareness or error reporting, increasing the risk of undetected compromise.
Mitigation Recommendations
No official patch or remediation guidance is currently provided. Users should immediately stop using the affected versions (=8.14.0, =8.16.0, =8.18.0, =8.20.0) of the jscrambler package. Verify the integrity of packages before installation and consider using trusted sources or package lockfiles. Monitor for updates from the vendor or npm registry for any official fixes or advisories. Remove any installations of these affected versions and audit systems for potential compromise.
MAL-2026-10187: Malicious code in jscrambler (npm)
Description
Supply-chain compromise of the official jscrambler npm client, a legitimate JavaScript obfuscation tool with roughly 60K downloads per month. Version 8.14.0 was published from the legitimate publisher account (jscrambler_ / [email protected]), which points to an account or CI compromise rather than a typosquat. Compared to the clean 8.13.0, version 8.14.0 adds a new preinstall hook (node dist/setup.js) and a new 7.5MB dist/intro.js file (entropy 8.00) that is a custom-packed, multi-platform binary container (magic bytes 1b435349 01); both are absent in 8.13.0. At install time, setup.js gunzips the platform-matched payload from intro.js, writes it to a randomly named file under the OS temp directory with the executable bit set (0o755, or a .exe extension on Windows built via String.fromCharCode), then spawns it detached with unref and windowsHide while swallowing all errors. The result is a silent, install-time native-binary dropper. Multiple releases are compromised (8.14.0, 8.16.0, 8.17.0, 8.18.0, 8.20.0); the mechanism above was analyzed on 8.14.0. Version 8.13.0 is clean. --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (afb577cf150e98ebfe551df006c555204f327432baa3789473981888761a8677) The package's main entry (dist/index.js) contains a top-level IIFE that runs on every require('jscrambler'). It reads a bundled 7.8 MB sibling file dist/intro.js, validates a custom container header (0x1b 0x43 0x53 0x49 0x01), selects a platform-specific gzip section (linux/win32/darwin), writes the decompressed bytes to os.tmpdir() under a hidden random dot-file name with mode 0755, and spawns the binary detached with stdio ignored and windowsHide, then unrefs the child. Errors are swallowed. The bundled payload dist/intro.js is not JavaScript: it uses a custom multi-platform container and contains strings characteristic of a cryptocurrency-wallet seed-phrase harvester and a browser-session stealer, including the BIP-39 English wordlist marker (bip39_english) and Chromium/BoringSSL TLS internals (ResumptionAttemptedWithVariedEms). Neither README nor CHANGELOG documents any native runtime component, and the CHANGELOG has no entries past 8.13.0. The wrapper's shape (custom magic header, hidden tmp filename, detached spawn, error-swallowed try/catch, undocumented payload) is inconsistent with the package's advertised CLI/API-client purpose and matches a malicious release / account-takeover pattern targeting installer wallets and browser sessions.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The jscrambler npm package's main entry point (dist/index.js) includes a top-level immediately-invoked function expression (IIFE) that runs on every require call. It reads a large bundled file (dist/intro.js) containing a custom multi-platform container with a specific header. The code decompresses a platform-specific gzip section and writes the binary to a hidden temporary file with executable permissions. It then spawns this binary in a detached process with no standard IO and hides the window on Windows. The payload includes strings related to cryptocurrency wallet seed phrase harvesting (BIP-39 English wordlist) and browser session stealing (Chromium/BoringSSL TLS internals). These behaviors are undocumented in the package's README and changelog, which show no updates past version 8.13.0, suggesting a malicious release or account takeover targeting wallet installers and browser sessions.
Potential Impact
Affected versions of the jscrambler package execute a hidden native binary that can harvest sensitive cryptocurrency wallet seed phrases and steal browser session data. This compromises user credentials and potentially leads to theft of cryptocurrency assets and session hijacking. The malicious code runs silently without user awareness or error reporting, increasing the risk of undetected compromise.
Mitigation Recommendations
No official patch or remediation guidance is currently provided. Users should immediately stop using the affected versions (=8.14.0, =8.16.0, =8.18.0, =8.20.0) of the jscrambler package. Verify the integrity of packages before installation and consider using trusted sources or package lockfiles. Monitor for updates from the vendor or npm registry for any official fixes or advisories. Remove any installations of these affected versions and audit systems for potential compromise.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10187
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a535c0068715ace43ad5431
Added to database: 07/12/2026, 09:18:56 UTC
Last enriched: 07/12/2026, 09:22:16 UTC
Last updated: 07/13/2026, 03:02:35 UTC
Views: 18
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.