The jscrambler npm package was tampered with, and installing its 8.14.0 release runs an infostealer on your machine. Published on July 11, 2026, the malicious variant contains a preinstall hook that removes and executes a native binary, one build each for Windows, macOS, and Linux.
Socket greenlit the release six minutes after it was published. If you or one of your build systems pulled it into that window, whatever access your install process had, the payload has already run.
None of this is in the previous release, 8.13.0. The package difference shows two new files under dist/: setup.js, a small loader, and intro.js. Despite the name, intro.js is not JavaScript, but rather an approximately 7.8MB container that packs three gzip-compressed native binaries, one each for Linux, Windows, and macOS.
When installed, setup.js picks up the binary for the host operating system, writes it to the system temporary directory under a random name, marks it as executable, and launches it separately, hiding its output.
The added files are in the published package, but nowhere in the public source of jscrambler. StepSecurity and SafeDep both pulled and analyzed the release, and both reported no matching commits, tags, or pull requests for 8.14.0 in the GitHub repository.
Its latest tag is still 8.13.0. The version was pushed directly to npm under a legitimate maintainer account, bypassing the project’s normal release flow. This points to a compromised npm account or build pipeline. Which of the two has not been established?
According to updated analysis of the socket and a statement from The Hacker News, the payload is a Rust infostealer, built for all three platforms, that scans a developer machine for secrets and sends them over TLS to a drop server.
The target list is extensive and targeted at developers: cloud credentials from AWS, Azure, and Google Cloud, including access to metadata endpoint CI runners; Cryptocurrency wallets and seed phrases from MetaMask, Fantom and Exodus; Bitwarden Password Manager Vault; browser-stored passwords and cookies; and Discord, Slack, Telegram, and Steam sessions.
This also goes after something new: config files for AI coding tools including Cloud Desktop, Cursor, Windsurf, VS Code, and Jade, where API keys and Model Context Protocol server credentials sit.
Binaries do more than steal. On Linux, the payload links the kernel’s BPF library and can load an EBPF program from memory directly into the kernel. This is a penetration into the kernel, not the userspace file access that other hackers rely on. StepSecurity and SafeDep both flag the capability, although what EBPF does is still being fleshed out.
Windows and macOS builds include anti-debugging checks and stealth strings to avoid reboots: a hidden Windows scheduled task set to relaunch every minute, and a macOS LaunchAgent that reloads at login. Its command-and-control details remain encrypted in binary and are never exposed in static analysis.
StepSecurity’s runtime monitoring caught the dropped binary accessing two hard-coded IP addresses and the Tor infrastructure, which was the first network indicator published for the campaign.
jscrambler is a build-time tool, installed as a development dependency or run from CI. Those environments contain exactly what the stealer collected: cloud keys, deployment tokens, and source code that a build or CI process can access.
| Source: Step Security |
The package gets about 15,800 downloads a week, and how many people downloaded the compromised version is not yet known. This is a much smaller footprint than the packages affected in last year’s large NPM compromises, which between them pulled billions of downloads per week.
However, for someone who stole machines for the purpose of building them, access was never an issue. Have access.
The Shai-Hulud worm ran an install hook to steal tokens and spread to hundreds of packages in September. The widely used chk and debug packages were taken over via a phished maintainer account and used to re-route crypto payments.
In March, a hijacked account pushed a cross-platform Trojan into Axios, an HTTP library with more than 83 million weekly downloads. What makes the timing clear here is that NPM had just gone the opposite of this exact path: NPM 12 shipped on July 8, three days before this release, with dependency install scripts turned off by default.
On npm 12, this kind of preinstall hook doesn’t run unless someone approves it. Older clients still run them automatically.
Version 8.15.0 has since replaced it at the top of npm’s version list, published from the same maintainer account and showing no malware alerts 8.14.0 trips: no install script, no bundled binary. But 8.14.0 was not pulled.
It’s still on npm, so any lockfile or command pinned to it keeps installing the stealer. Only the main CLI package was affected; The jscrambler plugins for webpack, gulp, metro, and grunt remained at their clean June release, without any install hooks.
What do we do now
- Exit 8.14.0. Move to 8.15.0, or pin to 8.13.0 for pre-event releases, and clear jscrambler@8.14.0 from lockfiles and cache.
- Find out if you have installed 8.14.0 or not. Check the lockfiles and package-manager logs for jscrambler@8.14.0 since July 11 and the CI records for any runs of dist/setup.js. The loader leaves its payload in a temporary directory under a random name, so there is no fixed binary name for grep; Instead establish timestamps against node child processes and temp-directory executions. On Windows, check Task Scheduler for hidden tasks; On macOS, inspect ~/Library/LaunchAgents for unrecognized plist.
- If 8.14.0 runs on a machine, consider every secret it reaches as stolen, not just exposed. Rotate cloud keys, npm and GitHub tokens, and AI-tools and MCP API keys; Cancel Discord, Slack, browser, and Bitwarden sessions; And move any crypto out of the wallet on that host. Block the two command-and-control IPs listed below.
Cleanup was fast, but Stealer does its job in just a few seconds after install. A build pinned to 8.14.0 on the older client, which runs the install script, still runs the payload. And on any machines that were already running it, the secrets were gone before 8.15.0 even reached the top of the list.
indicators of agreement
Malicious package: jscrambler@8.14.0. SHA-256 hash for added files and their decompressed payload:
- dist/setup.js: a742de963f14a92d24ebcbc7b44ac867e23a20d31d1b0094a13a4f83287f4e60
- dist/intro.js: a41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86
- Linux payload: fbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bd
- Windows payload: b7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903
- macOS payload: c8fd47d36bdf7c825378593ab82ed8c24d1dc52e26b507812393e24e1d5201fd
Network endpoints StepSecurity observed at runtime. The two IPs are the direct attacker endpoints; The binary also accesses the Tor infrastructure for connectivity or routing:
- C2 IP: 37.27.122[.]124
- C2 IP: 57.128.246[.]79
- Tor infrastructure: check.torproject[.]org, archive.torproject[.]Organization
On-host artifact: A randomly named hidden file in the form’s system temporary directory. {random} or . {random}.exe on Windows, as well as a hidden Windows scheduled task or a macOS LaunchAgent for persistence.