Jscrambler npm Package Compromised in Supply Chain Attack

Jscrambler npm Package Compromised in Supply Chain Attack

First seen 12 Jul 2026, 16:28 UTC ThehackernewsAiweekly.Cosafedep.ioTechnaduthehacker.news+4 87% similarity 74.0

Article Content

Browse articles
ThreatCluster

On July 11, 2026, multiple malicious versions of the jscrambler npm package were published, exploiting a compromised npm publishing credential. The affected versions (8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.0) included a preinstall hook that deployed a Rust-based infostealer targeting sensitive data such as cloud credentials, CI tokens, and browser sessions. The attack evolved, with later versions embedding the malicious payload directly in the package code to evade detection. Jscrambler's response included immediate deprecation of the malicious versions and credential rotation. The package has approximately 15,800 weekly downloads, raising concerns about the potential impact on users. As of now, the latest clean version is 8.22.0, and the investigation is ongoing.

Key Points: • Five malicious versions of the jscrambler npm package were published on July 11, 2026. • The attack targeted sensitive data including cloud credentials and AI tool configurations. • Jscrambler quickly deprecated the malicious versions and rotated credentials to limit exposure.

ThreatCluster AI

Timeline

2026-07-11
Malicious versions of jscrambler published
Versions 8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.0 were published with a Rust infostealer payload.
safedep.io
2026-07-11
Jscrambler detects the compromise
The unauthorized publication was detected within seconds, triggering immediate incident response actions.
jscrambler.com
2026-07-11
Malicious versions deprecated
Jscrambler deprecated the affected versions to prevent further installations and began investigating the incident.
Technadu
2026-07-11
Investigation ongoing
Jscrambler is conducting a forensic investigation to determine the root cause of the credential compromise.
jscrambler.com

Community

Browse all →