Hackers Compromised jscrambler With 15,800+ Weekly Downloads to Attack Developers
A supply chain attack on the jscrambler npm package, a JavaScript code-protection tool with over 15,800 weekly downloads, involved malicious versions that silently deployed native malware on Linux, macOS, and Windows systems.
Socket Research Team detected the first malicious release, [email protected], on July 11, 2026, only six minutes after publication.
The compromised release added an undocumented preinstall script, causing malicious code to execute automatically when a developer ran npm install. Victims did not need to import the package or run its command-line tool for the payload to launch.
The attack affected versions 8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.0. Jscrambler later confirmed that an attacker used an npm publishing credential to upload the unauthorized releases.
The company revoked and rotated publishing credentials, deprecated the affected versions, and released clean version 8.22.0.
Hackers Compromise jscrambler Package
In the early malicious releases, the attackers inserted a preinstall hook that launched dist/setup.js. This loader read a disguised binary container named dist/intro.js, selected a payload based on the victim’s operating system, and wrote it to a hidden temporary file.
It then started the executable in the background without displaying output or requiring user interaction. The container held three Rust-based binaries: a Linux ELF file, a Windows PE executable, and a macOS Apple Silicon Mach-O binary.
Starting with version 8.18.0, the attackers removed the install hook and injected the same loader into the package’s main JavaScript files.
This allowed the malware to run when an application imported jscrambler or when its CLI was executed, bypassing checks focused only on npm lifecycle scripts.
According to the Socket Research Team, the malware was designed to steal high-value developer and cloud credentials, targeting browser data, cryptocurrency wallets, Discord, Slack, Telegram, Steam sessions, cloud tokens, and local OS keyrings.
It also searched for configuration files used by AI coding tools, including Claude Desktop, Cursor, Windsurf, VS Code, Zed, and MCP server configurations, which can contain API keys and sensitive connection details.
The payload also attempted to access credentials for AWS, Google Cloud, and Microsoft Azure. It included references to cloud metadata endpoints, secret-management services, Kubernetes APIs, and deployment environments.
This poses a serious risk to software developers because build systems and CI pipelines often contain source code, signing keys, deployment tokens, and production credentials.
To slow analysis, the malware encrypted around configuration strings using ChaCha20-Poly1305 encryption. Researchers also identified network code that appeared to upload stolen data via encrypted TLS connections, using a multipart HTTP request to the/upload endpoint.
Organizations should immediately remove affected jscrambler versions, audit npm installation and CI logs, and rotate credentials exposed on impacted developer systems and build servers.
Users should upgrade to verified clean version 8.22.0 and review lockfiles for transitive references to compromised versions.
The incident highlights how a stolen npm publishing credential can turn a trusted developer dependency into an effective entry point for credential theft and cloud compromise.
Indicators of Compromise
| IOC Type | Indicator |
|---|---|
| Affected Versions |
jscrambler 8.14.0, 8.16.0, 8.17.0, 8.18.0, 8.20.0 |
| Patched Version |
jscrambler 8.22.0 |
| Preinstall Hook | preinstall: node dist/setup.js |
| Dropped Files |
dist/setup.js, dist/intro.js
|
| Loader SHA-256 | a742de963f14a92d24ebcbc7b44ac867e23a20d31d1b0094a13a4f83287f4e60 |
| Payload SHA-256 | a41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86 |
| package.json SHA-256 | bba32ddeab075a5e5015eec50f5d2af364c95b848732c714aea6b6baf78f49f0 |
| Linux ELF SHA-256 | fbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bd |
| Windows PE SHA-256 | b7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903 |
| macOS Mach-O SHA-256 | c8fd47d36bdf7c825378593ab82ed8c24d1dc52e26b507812393e24e1d5201fd |
| File Signature |
1b 43 53 49 01 (x1bCSIx01) |
| Execution Artifact | Hidden temp executable |
| Process Artifact | Detached spawn() process |
| Network IOC |
POST /upload (multipart/form-data) |
| Cloud Metadata |
169.254.169[.]254, 169.254.170, metadata.google.internal
|
| Recon Endpoints |
check.torproject.org/api/ip, 1.1.1.1, 8.8.8.8
|
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
The post Hackers Compromised jscrambler With 15,800+ Weekly Downloads to Attack Developers appeared first on Cyber Security News.
Abinaya
Go to cyber-security-news