Jscrambler npm Package Compromised: A Security Vendor Becomes the Supply Chain Risk
TL;DR
On July 11, 2026, a malicious version of the jscrambler npm package was published to the npm registry using a compromised publishing credential. Version 8.14.0 shipped a preinstall hook that silently drops and runs a Rust infostealer on Windows, macOS, and Linux. The payload targets cloud credentials, CI tokens, browser sessions, crypto wallets, Bitwarden vaults, and the config files of AI coding tools like Claude Desktop and Cursor. Jscrambler deprecated the release and reports zero confirmed downloads so far, with the investigation ongoing.
The takeaway is uncomfortable but unavoidable: your security vendors are third-party software too. If a client-side security company’s own distribution channel can be hijacked, every installed component in your stack deserves the same scrutiny you apply to marketing tags.
What happened
| Fact | Detail |
|---|---|
| Package | jscrambler (npm), used with Jscrambler’s Code Integrity product |
| Malicious version | 8.14.0 (Jscrambler’s advisory also lists 8.16, 8.17, and 8.20) |
| Published | July 11, 2026, 16:12:40 BST |
| Attack vector | Compromised npm publishing credential; pushed outside the normal release flow |
| Payload | Cross-platform Rust infostealer executed via npm preinstall hook |
| Detection | Flagged by Socket six minutes after publication; Jscrambler alerted within seconds via maintainer notifications |
| Downloads | npm reports 0 downloads of the affected version; Jscrambler is independently verifying |
| Safe versions | 8.22 or later per Jscrambler’s advisory |
| Status | Malicious version deprecated but still present on npm; investigation ongoing |
The compromised release required no import and no CLI call. Installing it was enough. The preinstall script selected a native binary for the host OS, wrote it to the temp directory under a random name, and launched it detached with hidden output.
The added files existed only in the published npm package. Researchers at StepSecurity and SafeDep confirmed there was no matching commit, tag, or pull request in the public GitHub repository.
What the malware steals
The payload is a purpose-built developer infostealer. Its target list maps directly onto what a build machine or CI runner can reach:
- Cloud credentials: AWS, Azure, and Google Cloud keys, including CI metadata endpoints
- Developer tokens: npm and GitHub credentials available to the install process
- AI tool configs: API keys and MCP server credentials from Claude Desktop, Cursor, Windsurf, VS Code, and Zed
- Password managers: Bitwarden vault data
- Browser data: stored passwords and cookies
- Sessions: Discord, Slack, Telegram, and Steam
- Crypto wallets: MetaMask, Phantom, and Exodus seed phrases
It also goes beyond ordinary theft. The Linux build can load an eBPF program into the kernel from memory. The Windows and macOS builds include anti-debugging checks and persistence: a hidden scheduled task on Windows and a LaunchAgent on macOS.
Exfiltration runs over TLS to two hard-coded IP addresses, with Tor infrastructure also observed at runtime.
Why this incident matters more than its download count
The jscrambler package sees roughly 15,800 downloads a week. That is small compared to the npm mega-compromises of the past year. But raw reach was never the point.
Jscrambler is a build-time tool. It runs exactly where the most valuable secrets live: deploy tokens, cloud keys, signing credentials, and source code. A stealer planted in a security vendor’s build tooling is aimed at the highest-value environment an attacker can reach through npm.
Three points stand out:
- The victim is a security vendor. Jscrambler sells client-side protection and supply chain security. Its own npm distribution channel was the vector. No vendor category is exempt from supply chain risk, including the vendors you buy to manage it.
- The timing was deliberate-looking. npm 12 shipped on July 8 with install scripts disabled by default. This attack landed three days later, exploiting the long tail of older npm clients that still run preinstall hooks automatically.
- The malicious version is still on npm. It was deprecated, not removed. Any lockfile pinned to 8.14.0 on an older client keeps installing the stealer.
To Jscrambler’s credit, detection and response were fast. Maintainer notifications triggered within seconds, the version was deprecated quickly, and credentials were rotated. Speed limited the blast radius. It did not eliminate the underlying exposure.
What to do now
If your organization uses the jscrambler npm package:
- Upgrade to version 8.22 or later per the vendor advisory
- Audit lockfiles, package-manager logs, and CI records for
[email protected](and 8.16, 8.17, 8.20) from July 11 onward - Assume theft, not exposure, if a compromised version ran: rotate cloud keys, npm and GitHub tokens, and AI tool and MCP API keys; revoke browser, Slack, Discord, and Bitwarden sessions
- Hunt for persistence: hidden Windows scheduled tasks and unfamiliar macOS LaunchAgents
- Block the published C2 indicators (available in The Hacker News coverage and vendor research)
For everyone else, the checklist is broader:
- Inventory every installed security agent, SDK, and build-time tool in your stack
- Disable npm install scripts by default (npm 12 does this out of the box)
- Treat vendor tooling with the same third-party risk process you apply to any script or tag
The bigger lesson: installed components are attack surface
Every tool you install, whether it is a marketing tag, an npm dependency, or a security product, inherits your trust and your access. This incident did not exploit a vulnerability in Jscrambler’s product. It exploited the distribution channel, which is the part customers can neither see nor control.
That is the structural argument for remote, zero-installation monitoring over embedded tooling. The two approaches carry fundamentally different supply chain profiles:
Embedded vs. remote: the supply chain difference
| Embedded approach | Remote approach (Reflectiz) | |
|---|---|---|
| Deployment | Agent, SDK, script, or npm package installed in your environment | Runs externally, zero installation |
| Supply chain exposure | Vendor’s publishing channel becomes part of your attack surface | No vendor code enters your environment |
| If the vendor is compromised | A malicious update executes with your access, in your build or on your pages | No path into your site or pipeline |
| Performance impact | Adds code to pages or build time | None |
| This incident’s relevance | Direct: a compromised package ran on install | Not applicable by design |
Reflectiz runs entirely outside your environment. Nothing is installed on your site, in your build pipeline, or on your infrastructure. There is no Reflectiz package in your lockfile, no agent on your servers, and no script on your pages. A compromise of Reflectiz’s own distribution channel cannot become a compromise of yours, because there is no distribution channel into your environment in the first place.
Embedded tools protect you until their supply chain fails. Remote monitoring has no supply chain into your site to fail.
The same continuous visibility applies to what already runs on your web assets: every third-party and fourth-party script, tag, and iframe is mapped, baselined, and monitored for behavioral change. When a trusted component starts doing something new, you know before your customers do.
FAQs
Can security vendors be a supply chain risk?
Yes. Any vendor whose product installs code, packages, or agents in your environment is part of your supply chain, and its distribution channel is part of your attack surface. This incident shows that even client-side security vendors can be compromised at the publishing layer. Externally operated, zero-installation tools remove this class of risk because no vendor code enters your environment.
Did npm 12 prevent this attack?
Partially. npm 12, released July 8, 2026, disables dependency install scripts by default, which blocks preinstall hooks like this one unless explicitly approved. However, older npm clients still run install scripts automatically, and the malicious version remains on the registry for pinned builds.
How do I know if I installed the compromised version?
Check lockfiles and package-manager logs for [email protected] (and versions 8.16, 8.17, 8.20), and review CI logs from July 11, 2026 onward for execution of dist/setup.js. The dropped binary uses a random name in the temp directory, so correlate install timestamps with child processes and temp-directory execution rather than searching for a fixed filename.
Is it safe to use Jscrambler now?
Jscrambler’s advisory states that versions 8.22 and later are safe and that the incident was limited to the jscrambler npm package used with Code Integrity. Other products, including Webpage Integrity, were not affected. The investigation is ongoing, so monitor the vendor advisory for updates.
Was the jscrambler npm package hacked?
Yes. On July 11, 2026, an attacker used a compromised npm publishing credential to publish malicious versions of the jscrambler npm package, starting with 8.14.0. The release contained a preinstall hook that installs a cross-platform infostealer. Jscrambler deprecated the versions and rotated its publishing credentials.
What does the jscrambler 8.14.0 malware do?
It runs automatically during npm install via a preinstall hook, drops a Rust infostealer built for Windows, macOS, and Linux, and steals cloud credentials, CI tokens, browser passwords and cookies, crypto wallets, Bitwarden vaults, messaging sessions, and AI coding tool configs including MCP server credentials. It adds persistence on Windows and macOS and can load eBPF programs on Linux.
What is the difference between embedded and remote client-side security?
Embedded security tools install code in your environment: an agent, SDK, script, or npm package. They gain deep access but inherit supply chain risk, because a compromise of the vendor’s publishing channel executes inside your build or on your pages. Remote security tools like Reflectiz operate entirely outside your environment with zero installation, so a vendor-side compromise has no path into your site, build pipeline, or infrastructure.
Subscribe to our newsletter
Stay updated with the latest news, articles, and insights from Reflectiz.
Related Articles
AI Has Changed The Web.
Are You Ready for What’s Next?
Third-party code shifts by the hour. Supply-chain compromises strike without warning. AI-driven web attacks now evolve faster than traditional security can ever keep up.
Reflectiz delivers the continuous, real-time visibility needed to expose the risks traditional tools miss entirely.
Zero code changes. Zero access to your data. Ultimate peace of mind.