Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

MAL-2026-10187: Malicious code in jscrambler (npm)

0
Critical
Published: 07/11/2026 (07/11/2026, 00:00:00 UTC)
Source: GCVE Database
Product: jscrambler

Description

Supply-chain compromise of the official jscrambler npm client, a legitimate JavaScript obfuscation tool with roughly 60K downloads per month. Version 8.14.0 was published from the legitimate publisher account (jscrambler_ / [email protected]), which points to an account or CI compromise rather than a typosquat. Compared to the clean 8.13.0, version 8.14.0 adds a new preinstall hook (node dist/setup.js) and a new 7.5MB dist/intro.js file (entropy 8.00) that is a custom-packed, multi-platform binary container (magic bytes 1b435349 01); both are absent in 8.13.0. At install time, setup.js gunzips the platform-matched payload from intro.js, writes it to a randomly named file under the OS temp directory with the executable bit set (0o755, or a .exe extension on Windows built via String.fromCharCode), then spawns it detached with unref and windowsHide while swallowing all errors. The result is a silent, install-time native-binary dropper. Multiple releases are compromised (8.14.0, 8.16.0, 8.17.0, 8.18.0, 8.20.0); the mechanism above was analyzed on 8.14.0. Version 8.13.0 is clean. --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (afb577cf150e98ebfe551df006c555204f327432baa3789473981888761a8677) The package's main entry (dist/index.js) contains a top-level IIFE that runs on every require('jscrambler'). It reads a bundled 7.8 MB sibling file dist/intro.js, validates a custom container header (0x1b 0x43 0x53 0x49 0x01), selects a platform-specific gzip section (linux/win32/darwin), writes the decompressed bytes to os.tmpdir() under a hidden random dot-file name with mode 0755, and spawns the binary detached with stdio ignored and windowsHide, then unrefs the child. Errors are swallowed. The bundled payload dist/intro.js is not JavaScript: it uses a custom multi-platform container and contains strings characteristic of a cryptocurrency-wallet seed-phrase harvester and a browser-session stealer, including the BIP-39 English wordlist marker (bip39_english) and Chromium/BoringSSL TLS internals (ResumptionAttemptedWithVariedEms). Neither README nor CHANGELOG documents any native runtime component, and the CHANGELOG has no entries past 8.13.0. The wrapper's shape (custom magic header, hidden tmp filename, detached spawn, error-swallowed try/catch, undocumented payload) is inconsistent with the package's advertised CLI/API-client purpose and matches a malicious release / account-takeover pattern targeting installer wallets and browser sessions.

Affected software

npmghsa
jscrambler
Affected versions
=8.16.0=8.14.0=8.20.0=8.18.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/12/2026, 09:22:16 UTC

Technical Analysis

The jscrambler npm package's main entry point (dist/index.js) includes a top-level immediately-invoked function expression (IIFE) that runs on every require call. It reads a large bundled file (dist/intro.js) containing a custom multi-platform container with a specific header. The code decompresses a platform-specific gzip section and writes the binary to a hidden temporary file with executable permissions. It then spawns this binary in a detached process with no standard IO and hides the window on Windows. The payload includes strings related to cryptocurrency wallet seed phrase harvesting (BIP-39 English wordlist) and browser session stealing (Chromium/BoringSSL TLS internals). These behaviors are undocumented in the package's README and changelog, which show no updates past version 8.13.0, suggesting a malicious release or account takeover targeting wallet installers and browser sessions.

Potential Impact

Affected versions of the jscrambler package execute a hidden native binary that can harvest sensitive cryptocurrency wallet seed phrases and steal browser session data. This compromises user credentials and potentially leads to theft of cryptocurrency assets and session hijacking. The malicious code runs silently without user awareness or error reporting, increasing the risk of undetected compromise.

Mitigation Recommendations

No official patch or remediation guidance is currently provided. Users should immediately stop using the affected versions (=8.14.0, =8.16.0, =8.18.0, =8.20.0) of the jscrambler package. Verify the integrity of packages before installation and consider using trusted sources or package lockfiles. Monitor for updates from the vendor or npm registry for any official fixes or advisories. Remove any installations of these affected versions and audit systems for potential compromise.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
MAL-2026-10187
Osv Schema Version
1.7.4
Aliases
[]
Ecosystems
["npm"]
Database Specific Severity
null
Cvss Version
null

Threat ID: 6a535c0068715ace43ad5431

Added to database: 07/12/2026, 09:18:56 UTC

Last enriched: 07/12/2026, 09:22:16 UTC

Last updated: 07/13/2026, 03:02:35 UTC

Views: 18

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses