safedep.io
Jscrambler npm Package Compromised in Supply Chain Attack
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
On July 11, 2026, multiple malicious versions of the jscrambler npm package were published, exploiting a compromised npm publishing credential. The affected versions (8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.0) included a preinstall hook that deployed a Rust-based infostealer targeting sensitive data such as cloud credentials, CI tokens, and browser sessions. The attack evolved, with later versions embedding the malicious payload directly in the package code to evade detection. Jscrambler's response included immediate deprecation of the malicious versions and credential rotation. The package has approximately 15,800 weekly downloads, raising concerns about the potential impact on users. As of now, the latest clean version is 8.22.0, and the investigation is ongoing.
Key Points: • Five malicious versions of the jscrambler npm package were published on July 11, 2026. • The attack targeted sensitive data including cloud credentials and AI tool configurations. • Jscrambler quickly deprecated the malicious versions and rotated credentials to limit exposure.