{"slug": "malicious-jscrambler-npm-package-versions-deploy-cross-platform-infostealer-in", "title": "Malicious 'jscrambler' NPM Package Versions Deploy Cross-Platform Infostealer in Sophisticated Supply Chain Attack", "summary": "On July 11, 2026, a supply chain attack compromised the popular jscrambler npm package, with malicious versions deploying a cross-platform infostealer written in Rust. The malware targeted developer credentials, including cloud provider secrets, cryptocurrency wallets, and AI coding assistant configurations. Jscrambler has taken remedial action, but organizations are urged to audit systems and rotate exposed secrets.", "body_md": "*Originally published on CyberNetSec.*\n\nOn July 11, 2026, a sophisticated software supply chain attack was identified involving the popular `jscrambler`\n\nnpm package. Multiple malicious versions were published to the npm registry using a compromised maintainer's publishing credential. These packages contained a cross-platform infostealer written in Rust, designed to harvest sensitive developer credentials. The malware targeted a wide range of secrets, including cloud provider credentials, cryptocurrency wallets, and configuration files for modern AI coding assistants. The incident highlights the significant risk of dependency confusion and credential compromise in the software development lifecycle. ** Jscrambler** has taken remedial action, but organizations are urged to audit their systems and rotate all potentially exposed secrets immediately.\n\nThe attack began with the publication of `jscrambler`\n\nversion `8.14.0`\n\nto the ** npm** registry, followed by several other malicious versions (\n\n`8.16.0`\n\n, `8.17.0`\n\n, `8.18.0`\n\n, `8.20.0`\n\n). The threat actor leveraged a compromised npm publishing token to push these versions directly to the registry, bypassing the project's standard code review process on GitHub. The initial attack vector was an npm `preinstall`\n\nscript, which automatically executed upon package installation (`npm install`\n\n). This script unpacked and ran a native binary infostealer. Later versions adapted to use `require()`\n\n-time injection to evade detection mechanisms that block installation scripts.The primary goal of the attack was credential theft from developer workstations and CI/CD environments. The malware was specifically designed to be cross-platform, with executables for Windows, macOS, and Linux.\n\nThe attack chain demonstrates a clear understanding of developer workflows and security blind spots.\n\n`jscrambler`\n\npackage, allowing them to publish new versions. This aligns with `T1195.002 - Compromise Software Supply Chain`\n\n`preinstall`\n\nhook in the `package.json`\n\nfile. This hook ran a setup script that deployed the infostealer payload. This is a form of `T1059 - Command and Scripting Interpreter`\n\n`intro.js`\n\n). It contained compressed executables for Windows, macOS, and Linux.`T1552.005 - Cloud Credentials`\n\n`T1552.001 - Credentials In Files`\n\n`T1053.005 - Scheduled Task/Job: Scheduled Task`\n\n`T1543.001 - Create or Modify System Process: Launch Agent`\n\nThe impact of this attack is potentially severe. Any developer or CI/CD system that installed one of the malicious `jscrambler`\n\nversions could have had their credentials compromised. Stolen cloud credentials could lead to significant data breaches, unauthorized resource usage, and further lateral movement into corporate networks. The theft of AI coding tool credentials is a novel and concerning development, as it could allow attackers to access proprietary code, inject malicious code via the AI assistant, or abuse paid API quotas. The compromise of cryptocurrency wallets could result in direct financial loss for affected individuals.\n\nNo specific file hashes, IP addresses, or C2 domains were mentioned in the source articles.\n\nSecurity teams may want to hunt for the following patterns to identify potentially related activity:\n\n| Type | Value | Description |\n|---|---|---|\n| file_name | `intro.js` |\nThe name of the malicious binary payload, though it is not a JS file. |\n| command_line_pattern | `npm install jscrambler@8.14.0` |\nOr any of the other compromised versions. |\n| log_source | `CI/CD build logs` |\nLook for installations of the malicious `jscrambler` versions. |\n| process_name | `node.exe` |\nMonitor for child processes spawning unexpected binaries or making outbound network connections to unusual destinations. |\n| registry_key | `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run` |\nCheck for suspicious entries related to persistence on Windows. |\n| file_path | `~/Library/LaunchAgents/` |\nCheck for new or suspicious `.plist` files on macOS. |\n\nSecurity teams should focus on detecting the installation and execution of the malicious packages.\n\n`package.json`\n\nand `package-lock.json`\n\nfiles for known malicious versions. Tools like `preinstall`\n\nscripts.`npm`\n\nor `node`\n\nprocesses that spawn unexpected child processes or write executable files. Monitor for the creation of scheduled tasks or launch agents immediately following an `npm install`\n\ncommand. A relevant D3FEND technique is `D3-PA - Process Analysis`\n\n`D3-NTA - Network Traffic Analysis`\n\nPreventing and mitigating such supply chain attacks requires a multi-layered approach.\n\n`package-lock.json`\n\nor `yarn.lock`\n\nto ensure that `npm install`\n\nuses a specific, vetted version of a dependency.`npm audit`\n\nto check for known vulnerabilities. Use tools that analyze package behavior, not just known CVEs.`npm install`\n\nwith the `--ignore-scripts`\n\nflag in environments where pre/post-install scripts are not expected or necessary. This is a form of `M1038 - Execution Prevention`\n\n`M1032 - Multi-factor Authentication`\n\n`M1026 - Privileged Account Management`", "url": "https://wpnews.pro/news/malicious-jscrambler-npm-package-versions-deploy-cross-platform-infostealer-in", "canonical_source": "https://dev.to/netsecops_io/malicious-jscrambler-npm-package-versions-deploy-cross-platform-infostealer-in-sophisticated-3671", "published_at": "2026-07-12 19:24:43+00:00", "updated_at": "2026-07-12 19:44:04.579768+00:00", "lang": "en", "topics": ["developer-tools", "ai-safety"], "entities": ["jscrambler", "npm", "GitHub", "Windows", "macOS", "Linux"], "alternates": {"html": "https://wpnews.pro/news/malicious-jscrambler-npm-package-versions-deploy-cross-platform-infostealer-in", "markdown": "https://wpnews.pro/news/malicious-jscrambler-npm-package-versions-deploy-cross-platform-infostealer-in.md", "text": "https://wpnews.pro/news/malicious-jscrambler-npm-package-versions-deploy-cross-platform-infostealer-in.txt", "jsonld": "https://wpnews.pro/news/malicious-jscrambler-npm-package-versions-deploy-cross-platform-infostealer-in.jsonld"}}