Skip to main content
Emerging ThreatsMalware & Ransomware

Compromised jscrambler NPM Package Drops Rust Infostealer

Developer workstation with laptop and terminal in a shared office space with cityscape background.
"Installing 8.14.0 is enough to run it," The Hacker News reported.

On July 11, 2026, version 8.14.0 of the jscrambler npm package was published with a malicious preinstall hook that silently dropped and executed a native infostealer during installation. The payload required neither importing the package nor running a jscrambler command-line tool — merely installing 8.14.0 on a host with an older npm client or an enabled install-script policy was enough to run it.

Malicious preinstall hook and how the payload ran

The published package added two files under dist/: setup.js, a small loader, and intro.js, a roughly 7.8MB container packing three gzip-compressed native binaries — one each for Linux, Windows, and macOS. On install, setup.js selected the appropriate binary for the host OS, wrote it under a random name in the system temporary directory, marked it executable, and launched it detached with its output hidden. Socket flagged the release six minutes after it went live; if a build system pulled it in that window, the payload would already have run with whatever access that install process had.

The Windows and macOS builds included anti-debugging checks and persistence mechanisms: a hidden Windows scheduled task set to relaunch every minute, and a macOS LaunchAgent that reloads on login. The Linux build additionally linked the kernel's BPF library and could load an eBPF program into the kernel from memory — a capability StepSecurity and SafeDep both flagged, though what the eBPF did is still being analyzed.

Repository mismatch and likely account or pipeline compromise

The added files were present in the published npm package but absent from jscrambler's public repository. StepSecurity and SafeDep reported no matching commit, tag, or pull request for 8.14.0 on GitHub; the repository's latest tag remained 8.13.0. The version was pushed straight to npm from a legitimate maintainer account, bypassing the project's normal release flow. That pattern points to either a compromised npm maintainer account or a compromised build pipeline — which of the two has not been established.

Targets, exfiltration, and network indicators observed at runtime

Socket, in an updated analysis and a statement to The Hacker News, and runtime monitoring by StepSecurity, identify the payload as a Rust infostealer built for all three platforms. Its sweep is aimed squarely at developer machines and build environments. The stealer searches for cloud credentials from AWS, Azure, and Google Cloud — including metadata endpoints used by CI runners — and looks for secrets in AI coding-tool config files for Claude Desktop, Cursor, Windsurf, VS Code, and Zed.

It also harvests cryptocurrency wallets and seed phrases (MetaMask, Phantom, Exodus), the Bitwarden vault, browser-stored passwords and cookies, and sessions for Discord, Slack, Telegram, and Steam. Command-and-control details remain encrypted in the binary; StepSecurity observed the dropped binary contacting two hard-coded IP addresses and Tor infrastructure (check.torproject[.]org and archive.torproject[.]org), the first published network indicators for this campaign.

What this means for jscrambler users, CI/build teams, and security responders

  • jscrambler users and developers: If you installed jscrambler@8.14.0, treat every secret the process could reach as already exfiltrated. Rotate cloud keys, npm and GitHub tokens, and AI-tool and Model Context Protocol API keys; revoke Discord, Slack, browser, and Bitwarden sessions; and move any cryptocurrency from wallets that resided on the affected host.
  • CI and build engineers: Check lockfiles and package-manager logs for jscrambler@8.14.0 and CI records for any run of dist/setup.js from July 11 onward. The loader drops its payload under a random name in temp, so investigators should align install timestamps against Node child processes and temporary-directory execution rather than relying on fixed filenames. On Windows, inspect Task Scheduler for hidden tasks; on macOS, examine ~/Library/LaunchAgents for unfamiliar plists.
  • Security responders and ops teams: Block the two observed command-and-control IPs, and search endpoint telemetry for the on-host artifacts described below. Consider that older npm clients continue to run install scripts automatically; npm 12 (released July 8) disables dependency install scripts by default, but older clients are still at risk.

Indicators of compromise and recommended remediation steps

Remediation guidance published with the analysis is explicit and immediate: move off 8.14.0 — upgrade to 8.15.0 or pin to 8.13.0 — and clear jscrambler@8.14.0 from lockfiles and caches. If 8.14.0 ran on a machine, assume theft and rotate credentials that could be reached from that environment. The package remains on npm, so pinned installs or older clients can still run the payload.

Published indicators (SHA-256 hashes and artifacts) include:

  • Malicious package: jscrambler@8.14.0
  • dist/setup.js: a742de963f14a92d24ebcbc7b44ac867e23a20d31d1b0094a13a4f83287f4e60
  • dist/intro.js: a41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86
  • Linux payload: fbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bd
  • Windows payload: b7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903
  • macOS payload: c8fd47d36bdf7c825378593ab82ed8c24d1dc52e26b507812393e24e1d5201fd
  • Observed C2 IPs: 37.27.122[.]124 and 57.128.246[.]79
  • Tor infrastructure observed: check.torproject[.]org, archive.torproject[.]org
  • On-host artifacts: a randomly named hidden file in the system temp directory (.{{random}} or .{{random}}.exe on Windows), plus a hidden Windows scheduled task or a macOS LaunchAgent for persistence.

The cleanup to replace 8.14.0 with 8.15.0 happened quickly, but the stealer acts in the seconds after install. Because the package still exists on npm and older clients still execute install hooks, any build pinned to 8.14.0 or any environment running a preinstall script automatically remains exposed. The immediate questions left by the facts on record are operational: how many installs ran in the minutes between publish and detection, which accounts or pipelines were used to publish the malicious version, and whether the Linux eBPF capability was used for additional covert activity. For teams that build and ship software, the takeaway is plain — check your lockfiles, your CI logs, and rotate any secret the build could reach.

Source: The Hacker News — Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer