Malware & Threats

Multiple Jscrambler Packages Impacted by Supply Chain Attack

A threat actor poisoned several Jscrambler NPM package versions to drop a cross-platform credential stealer.

supply chain threat

Several malicious versions of Jscrambler’s NPM package were published over the weekend as part of a supply chain attack involving compromised credentials.

The popular NPM package is used within the Jscrambler Code Integrity product, a JavaScript protection solution that turns web and mobile applications self-defensive and tamper-resistant.

The attack started on July 11, when a threat actor used the NPM publishing credentials to push a modified version of the package, containing a preinstall hook to drop binaries during the installation process.

While Jscrambler was responding to the incident, the threat actor published additional malicious iterations of the package, namely 8.16, 8.17, 8.18, and 8.20. The first clean version of the package is 8.22.

As the NPM library is a dependency for other packages, the incident also affected Jscrambler-webpack-plugin version 8.6.2, gulp-Jscrambler version 8.6.2, grunt-Jscrambler version 8.5.2, and Jscrambler-metro-plugin version 9.0.2.

According to Jscrambler, NPM data shows that the malicious package versions were downloaded 1,479 times before they were deprecated and replaced with clean versions.

Advertisement. Scroll to continue reading.

“Our investigation indicates that the attacker was able to publish the package using an NPM publishing credential. We have revoked and rotated all relevant credentials, passwords, and secrets, and have implemented additional security controls around our publishing process while the investigation continues,” Jscrambler said.

According to supply chain security firm Socket, the malicious package versions included the preinstall hook, two new files under dist/, namely setup.js and intro.js, and binaries targeting Linux, macOS, and Windows.

When the malicious package version is installed, the hook triggers the infection chain: setup.js is executed to load and execute a platform-specific binary from intro.js.

Written in Rust, the binaries are information stealers targeting credentials and secrets on developer and cloud-operator machines, cryptocurrency wallets and seed phrases, AI coding assistants and MCP server configurations, messaging and collaboration applications, browsers, Steam sessions, and OS keyrings.

The malware also attempts to elevate its privileges and achieve persistence, and performs host reconnaissance.

Socket observed the malware exfiltrating harvested information over TLS via rustls, likely to a drop server. Additionally, the malware constructed requests to query cloud and orchestration APIs using stolen credentials.

Users are advised to immediately remove the affected Jscrambler NPM package versions from their machines, scan the system for malware, and rotate all credentials, tokens, and API keys.

Related: Ghost Accounts Abuse GitHub API in Mass Recon Campaign

Related: North Korean Hackers Target Open Source Developers in Supply Chain Attacks

Related: Network of 200 GitHub Repositories Used for Malware Infection

Related: FortiBleed Campaign Linked to INC, Lynx Ransomware Attacks

Related Content

Supply Chain Security

The PolinRider campaign has compromised more than 100 legitimate open source packages and repositories to deliver a backdoor and information stealer to developers.

Artificial Intelligence

Decades-old Bash shell tricks can bypass safeguards in most open source AI coding agents, potentially turning malicious repositories into supply chain attack vectors.

Data Breaches

Roughly two dozen companies have notified their customers of the Klue-Salesforce incident impact.

Supply Chain Security

A malicious dependency the attackers added to over 140 Mastra packages fetches a payload targeting cryptocurrency extensions.

Data Breaches

HackerOne, Huntress, Jamf, OneTrust, Recorded Future, Snyk, and Tanium are among the affected Klue customers.

Supply Chain Security

The hackers exfiltrated data from Salesforce instances of Klue customers, such as Huntress and Recorded Future.

Malware & Threats

Arch Linux suspended account registrations in response to the wave of malicious packages being uploaded to AUR.

Identity & Access

As attackers increasingly favor stolen credentials over exploits, infostealers have become a primary source of access for ransomware and other cybercrime operations.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version