Hackers Compromised jscrambler With 15,800+ Weekly Downloads to Attack Developers

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A supply chain attack on the jscrambler npm package, a JavaScript code-protection tool with over 15,800 weekly downloads, involved malicious versions that silently deployed native malware on Linux, macOS, and Windows systems.

Socket Research Team detected the first malicious release, [email protected], on July 11, 2026, only six minutes after publication.

The compromised release added an undocumented preinstall script, causing malicious code to execute automatically when a developer ran npm install. Victims did not need to import the package or run its command-line tool for the payload to launch.

The attack affected versions 8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.0. Jscrambler later confirmed that an attacker used an npm publishing credential to upload the unauthorized releases.

The company revoked and rotated publishing credentials, deprecated the affected versions, and released clean version 8.22.0.

Hackers Compromise jscrambler Package

In the early malicious releases, the attackers inserted a preinstall hook that launched dist/setup.js. This loader read a disguised binary container named dist/intro.js, selected a payload based on the victim’s operating system, and wrote it to a hidden temporary file.

It then started the executable in the background without displaying output or requiring user interaction. The container held three Rust-based binaries: a Linux ELF file, a Windows PE executable, and a macOS Apple Silicon Mach-O binary.

Starting with version 8.18.0, the attackers removed the install hook and injected the same loader into the package’s main JavaScript files.

This allowed the malware to run when an application imported jscrambler or when its CLI was executed, bypassing checks focused only on npm lifecycle scripts.

According to the Socket Research Team, the malware was designed to steal high-value developer and cloud credentials, targeting browser data, cryptocurrency wallets, Discord, Slack, Telegram, Steam sessions, cloud tokens, and local OS keyrings.

It also searched for configuration files used by AI coding tools, including Claude Desktop, Cursor, Windsurf, VS Code, Zed, and MCP server configurations, which can contain API keys and sensitive connection details.

The payload also attempted to access credentials for AWS, Google Cloud, and Microsoft Azure. It included references to cloud metadata endpoints, secret-management services, Kubernetes APIs, and deployment environments.

This poses a serious risk to software developers because build systems and CI pipelines often contain source code, signing keys, deployment tokens, and production credentials.

To slow analysis, the malware encrypted around configuration strings using ChaCha20-Poly1305 encryption. Researchers also identified network code that appeared to upload stolen data via encrypted TLS connections, using a multipart HTTP request to the/upload endpoint.

Organizations should immediately remove affected jscrambler versions, audit npm installation and CI logs, and rotate credentials exposed on impacted developer systems and build servers.

Users should upgrade to verified clean version 8.22.0 and review lockfiles for transitive references to compromised versions.

The incident highlights how a stolen npm publishing credential can turn a trusted developer dependency into an effective entry point for credential theft and cloud compromise.

Indicators of Compromise

IOC Type Indicator
Affected Versions jscrambler 8.14.0, 8.16.0, 8.17.0, 8.18.0, 8.20.0
Patched Version jscrambler 8.22.0
Preinstall Hook preinstall: node dist/setup.js
Dropped Files dist/setup.js, dist/intro.js
Loader SHA-256 a742de963f14a92d24ebcbc7b44ac867e23a20d31d1b0094a13a4f83287f4e60
Payload SHA-256 a41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86
package.json SHA-256 bba32ddeab075a5e5015eec50f5d2af364c95b848732c714aea6b6baf78f49f0
Linux ELF SHA-256 fbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bd
Windows PE SHA-256 b7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903
macOS Mach-O SHA-256 c8fd47d36bdf7c825378593ab82ed8c24d1dc52e26b507812393e24e1d5201fd
File Signature 1b 43 53 49 01 (x1bCSIx01)
Execution Artifact Hidden temp executable
Process Artifact Detached spawn() process
Network IOC POST /upload (multipart/form-data)
Cloud Metadata 169.254.169[.]254, 169.254.170[.]2, metadata.google.internal
Recon Endpoints check.torproject.org/api/ip, 1.1.1.1, 8.8.8.8

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.