{"id":14256,"date":"2026-07-13T10:03:42","date_gmt":"2026-07-13T10:03:42","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/13\/hackers-compromised-jscrambler-with-15800-weekly-downloads-to-attack-developers\/"},"modified":"2026-07-13T10:03:42","modified_gmt":"2026-07-13T10:03:42","slug":"hackers-compromised-jscrambler-with-15800-weekly-downloads-to-attack-developers","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/13\/hackers-compromised-jscrambler-with-15800-weekly-downloads-to-attack-developers\/","title":{"rendered":"Hackers Compromised jscrambler With 15,800+ Weekly Downloads to Attack Developers"},"content":{"rendered":"<p>    Hackers Compromised jscrambler With 15,800+ Weekly Downloads to Attack Developers<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">A supply chain attack on the <code>jscrambler<\/code> npm package, a JavaScript code-protection tool with over 15,800 weekly downloads, involved malicious versions that silently <a href=\"https:\/\/cybersecuritynews.com\/ironworm-supply-chain-attack-uses-malicious-npm-packages\/\" target=\"_blank\" rel=\"noreferrer noopener\">deployed native malware<\/a> on Linux, macOS, and Windows systems.<\/p>\n<p class=\"wp-block-paragraph\">Socket Research Team detected the first malicious release, jscrambler@8.14.0, on July 11, 2026, only six minutes after publication.<\/p>\n<p class=\"wp-block-paragraph\">The compromised release added an undocumented preinstall script, causing malicious code to execute automatically when a developer ran npm install. Victims did not need to import the package or run its command-line tool for the payload to launch.<\/p>\n<p class=\"wp-block-paragraph\">The attack affected versions 8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.0. Jscrambler later confirmed that an attacker used an<a href=\"https:\/\/cybersecuritynews.com\/compromised-namastex-npm-packages\/\" target=\"_blank\" rel=\"noreferrer noopener\"> npm publishing credential<\/a> to upload the unauthorized releases.<\/p>\n<p class=\"wp-block-paragraph\">The company revoked and rotated publishing credentials, deprecated the affected versions, and released clean version 8.22.0.<\/p>\n<h2 id=\"h-hackers-compromise-jscrambler-package\" class=\"wp-block-heading\"><strong>Hackers Compromise jscrambler Package<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">In the early malicious releases, the attackers inserted a preinstall hook that launched dist\/setup.js. This loader read a disguised binary container named dist\/intro.js, selected a payload based on the victim\u2019s operating system, and wrote it to a hidden temporary file.<\/p>\n<p class=\"wp-block-paragraph\">It then started the executable in the background without displaying output or requiring user interaction. The container held three Rust-based binaries: a Linux ELF file, a Windows PE executable, and a macOS Apple Silicon Mach-O binary.<\/p>\n<p class=\"wp-block-paragraph\">Starting with version 8.18.0, the attackers removed the install hook and injected the same loader into the package\u2019s main JavaScript files.<\/p>\n<p class=\"wp-block-paragraph\">This allowed the malware to run when an application imported jscrambler or when its CLI was executed, bypassing checks focused only on npm lifecycle scripts.<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/socket.dev\/blog\/jscrambler-supply-chain-attack\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">According to the Socket Research Team<\/a>, the malware was designed to steal high-value developer and cloud credentials, targeting browser data, cryptocurrency wallets, Discord, Slack, Telegram, Steam sessions, cloud tokens, and local OS keyrings.<\/p>\n<p>It also searched for configuration files used by AI coding tools, including Claude Desktop, Cursor, Windsurf, VS Code, Zed, and MCP server configurations, which can contain API keys and sensitive connection details.<\/p>\n<p class=\"wp-block-paragraph\">The payload also attempted to <a href=\"https:\/\/cybersecuritynews.com\/hackers-compromise-170-npm-packages\/\" target=\"_blank\" rel=\"noreferrer noopener\">access credentials for AWS<\/a>, Google Cloud, and Microsoft Azure. It included references to cloud metadata endpoints, secret-management services, Kubernetes APIs, and deployment environments.<\/p>\n<p class=\"wp-block-paragraph\">This poses a serious risk to software developers because build systems and CI pipelines often contain source code, signing keys, deployment tokens, and production credentials.<\/p>\n<p class=\"wp-block-paragraph\">To slow analysis, the malware encrypted around configuration strings using ChaCha20-Poly1305 encryption. Researchers also identified network code that appeared to upload stolen data via <a href=\"https:\/\/cybersecuritynews.com\/opossum-attack\/\" target=\"_blank\" rel=\"noreferrer noopener\">encrypted TLS connections<\/a>, using a multipart HTTP request to the\/upload endpoint.<\/p>\n<p class=\"wp-block-paragraph\">Organizations should immediately remove affected <code>jscrambler<\/code> versions, audit npm installation and CI logs, and rotate credentials exposed on impacted developer systems and build servers.<\/p>\n<p class=\"wp-block-paragraph\">Users should upgrade to verified clean version 8.22.0 and review lockfiles for transitive references to compromised versions.<\/p>\n<p class=\"wp-block-paragraph\">The incident highlights how a stolen npm publishing credential can turn a trusted developer dependency into an effective entry point for credential theft and cloud compromise.<\/p>\n<p class=\"wp-block-paragraph\"><strong>Indicators of Compromise<\/strong><\/p>\n<figure class=\"wp-block-table is-style-stripes\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th><strong>IOC Type<\/strong><\/th>\n<th><strong>Indicator<\/strong><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Affected Versions<\/strong><\/td>\n<td>\n<code>jscrambler<\/code> 8.14.0, 8.16.0, 8.17.0, 8.18.0, 8.20.0<\/td>\n<\/tr>\n<tr>\n<td><strong>Patched Version<\/strong><\/td>\n<td>\n<code>jscrambler<\/code> 8.22.0<\/td>\n<\/tr>\n<tr>\n<td><strong>Preinstall Hook<\/strong><\/td>\n<td><code>preinstall: node dist\/setup.js<\/code><\/td>\n<\/tr>\n<tr>\n<td><strong>Dropped Files<\/strong><\/td>\n<td>\n<code>dist\/setup.js<\/code>, <code>dist\/intro.js<\/code>\n<\/td>\n<\/tr>\n<tr>\n<td><strong>Loader SHA-256<\/strong><\/td>\n<td><code>a742de963f14a92d24ebcbc7b44ac867e23a20d31d1b0094a13a4f83287f4e60<\/code><\/td>\n<\/tr>\n<tr>\n<td><strong>Payload SHA-256<\/strong><\/td>\n<td><code>a41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86<\/code><\/td>\n<\/tr>\n<tr>\n<td><strong>package.json SHA-256<\/strong><\/td>\n<td><code>bba32ddeab075a5e5015eec50f5d2af364c95b848732c714aea6b6baf78f49f0<\/code><\/td>\n<\/tr>\n<tr>\n<td><strong>Linux ELF SHA-256<\/strong><\/td>\n<td><code>fbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bd<\/code><\/td>\n<\/tr>\n<tr>\n<td><strong>Windows PE SHA-256<\/strong><\/td>\n<td><code>b7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903<\/code><\/td>\n<\/tr>\n<tr>\n<td><strong>macOS Mach-O SHA-256<\/strong><\/td>\n<td><code>c8fd47d36bdf7c825378593ab82ed8c24d1dc52e26b507812393e24e1d5201fd<\/code><\/td>\n<\/tr>\n<tr>\n<td><strong>File Signature<\/strong><\/td>\n<td>\n<code>1b 43 53 49 01<\/code> (<code>x1bCSIx01<\/code>)<\/td>\n<\/tr>\n<tr>\n<td><strong>Execution Artifact<\/strong><\/td>\n<td>Hidden temp executable<\/td>\n<\/tr>\n<tr>\n<td><strong>Process Artifact<\/strong><\/td>\n<td>Detached <code>spawn()<\/code> process<\/td>\n<\/tr>\n<tr>\n<td><strong>Network IOC<\/strong><\/td>\n<td>\n<code>POST \/upload<\/code> (multipart\/form-data)<\/td>\n<\/tr>\n<tr>\n<td><strong>Cloud Metadata<\/strong><\/td>\n<td>\n<code>169.254.169[.]254<\/code>, <code>169.254.170<code>[.]<\/code>2<\/code>, <code>metadata.google.internal<\/code>\n<\/td>\n<\/tr>\n<tr>\n<td><strong>Recon Endpoints<\/strong><\/td>\n<td>\n<code>check.torproject.org\/api\/ip<\/code>, <code>1.1.1.1<\/code>, <code>8.8.8.8<\/code>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\"><strong>Note:\u00a0<\/strong><em>IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.<\/em><\/p>\n<p class=\"has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 87%,rgb(169,184,195) 100%)\"><strong>\u00a0Strengthen Your SOC by Accelerating Threat Detection &amp; Rapid Investigations.\u00a0-&gt; <a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Integrate ANY.RUN With Your SOC <\/a><strong><a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Now<\/a><\/strong>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/hackers-compromised-jscrambler\/\">Hackers Compromised jscrambler With 15,800+ Weekly Downloads to Attack Developers<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/hackers-compromised-jscrambler\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers Compromised jscrambler With 15,800+ Weekly Downloads to Attack Developers A supply chain attack on the jscrambler npm package, a JavaScript code-protection tool with over 15,800 weekly downloads, involved malicious versions that silently deployed native malware on Linux, macOS, and Windows systems. Socket Research Team detected the first malicious release, jscrambler@8.14.0, on July 11, 2026, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63],"tags":[130],"class_list":["post-14256","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14256"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=14256"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14256\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=14256"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=14256"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=14256"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}