Malicious jscrambler 8.14.0 npm Release Delivered Cross-Platform Infostealer

A compromised release of the jscrambler npm package installed a Rust-based infostealer on developer systems, according to analyses by Socket, StepSecurity, and SafeDep. Version 8.14.0 was published on...

A compromised release of the jscrambler npm package installed a Rust-based infostealer on developer systems, according to analyses by Socket, StepSecurity, and SafeDep. Version 8.14.0 was published on July 11, 2026, and was replaced by 8.15.0 shortly afterward. However, the affected release remains available on npm and may still be installed when referenced by a lockfile or explicit version.

The malicious package introduced a preinstall hook and two files under dist/. The loader selects a platform-specific binary embedded in intro.js, writes it to a randomly named file in the system temporary directory, and starts it with its output concealed. Researchers found builds for Windows, macOS, and Linux. The files do not appear in the project’s public source history, and no corresponding 8.14.0 commit or tag was identified, suggesting that a maintainer account or release pipeline may have been abused.

Information targeted

The malware searches for credentials and session data commonly present on development and CI systems. Reported targets include AWS, Azure, and Google Cloud credentials; browser passwords and cookies; cryptocurrency wallets; Bitwarden data; and sessions for services such as Discord, Slack, Telegram, and Steam. Configuration files used by AI development tools, including Claude Desktop, Cursor, Windsurf, VS Code, and Zed, are also targeted because they may contain API keys or Model Context Protocol credentials.

On Linux, the binary includes functionality associated with loading eBPF code, while the Windows and macOS variants implement persistence mechanisms. Runtime monitoring observed connections to two hard-coded IP addresses and Tor infrastructure. The package receives roughly 15,800 downloads per week, although the number of installations of 8.14.0 is unknown.

  • Upgrade to 8.15.0 or roll back to 8.13.0, and remove 8.14.0 from lockfiles and caches.
  • Review package-manager logs and CI activity for installations from July 11 onward, including execution of dist/setup.js.
  • Inspect temporary directories, scheduled tasks, and macOS LaunchAgents for suspicious artifacts.
  • Assume accessible secrets were exposed: rotate cloud, npm, GitHub, and AI-tool credentials; revoke sessions; and secure cryptocurrency held on affected systems.

The incident highlights the risk of install scripts in developer dependencies. npm 12 disables such scripts by default, but older clients may execute them automatically.