Skip to content
Supply chainContained

Jscrambler's official npm package trojanised to drop a Rust infostealer on install

Attackers pushed five malicious releases of the widely used jscrambler npm package under its legitimate maintainer account, each running a preinstall hook that dropped a cross-platform Rust infostealer onto developers' machines.

Victim
Jscrambler

On 11 July 2026, the official jscrambler npm package β€” maintained by the Portuguese client-side application-security firm of the same name β€” was trojanised to run an infostealer on any machine that installed it. The tampered 8.14.0 release was published straight to npm under the legitimate jscrambler maintainer account, bypassing the project's normal release flow and pointing to a compromised npm account or build pipeline rather than a typosquat or lookalike package.

The malicious version carried a preinstall hook that dropped and executed a native binary as soon as the package was installed. The package diff showed two new files under dist/: a small loader named setup.js, and a file called intro.js that β€” despite its name β€” was not JavaScript at all but a roughly 7.8 MB container packing three gzip-compressed native binaries, one build each for Windows, macOS and Linux. The payload was a Rust infostealer that swept the developer's machine for secrets and shipped them to a drop server over TLS, targeting browser profile data from Chrome, Brave, Edge and Chromium, the Bitwarden browser extension, and Steam sessions, while installing persistence through Windows Task Scheduler and macOS LaunchAgents.

A three-hour tug-of-war

The compromise turned into a rapid back-and-forth between the attacker and the project's defenders. Socket flagged the first malicious release about six minutes after it went live, but over roughly three hours the attacker published five poisoned versions in total β€” 8.14.0, 8.16.0, 8.17.0, 8.18.0 and 8.20.0 β€” interleaved with clean releases that the maintainers appear to have pushed in an effort to remediate. The rapid re-publishing under a trusted account is characteristic of a live account or pipeline compromise, where whoever controlled the credentials kept racing to re-seed the malicious build faster than it could be pulled down.

Why it matters

A preinstall infostealer in a security vendor's own package is a particularly acute software-supply-chain risk: the malware executes automatically during npm install, before any code is even run, and it targets exactly the credentials β€” browser-stored secrets, password-manager data and session tokens β€” that a compromised developer machine can turn into onward access to source repositories, cloud accounts and CI systems. Coming amid a wave of npm account takeovers in 2026, the incident is another reminder that developers should pin exact versions, disable install scripts where practical, and treat a package from a trusted maintainer as no guarantee that the account behind it has not itself been hijacked.

Timeline

  1. The malicious jscrambler 8.14.0 release is published to npm under the legitimate jscrambler maintainer account; Socket flags it roughly six minutes later.

  2. Over about three hours the attacker publishes five malicious releases (8.14.0, 8.16.0, 8.17.0, 8.18.0 and 8.20.0), interleaved with clean versions the maintainers push as remediation.

Sources

  1. thehackernews.comhttps://thehackernews.com/2026/07/compromised-jscrambler-8140-npm-release.html
  2. safedep.iohttps://safedep.io/jscrambler-npm-supply-chain-compromise/
  3. stepsecurity.iohttps://www.stepsecurity.io/blog/jscrambler-npm-package-publishes-malicious-preinstall-binary

Related incidents