Skip to main content
Emerging ThreatsMalware & Ransomware

Jscrambler npm Package Infected with Infostealer Malware

Developer workspace with npm package management page, terminal window, and software items on a brightly lit desk.

"Today, we identified the unauthorized publication of a malicious version of our jscrambler npm package, which is used with our Code Integrity product," Jscrambler said in a warning posted Saturday.

Timeline: malicious releases, a two‑hour window, and nearly 1,500 installs

Attackers published a malicious version of the Jscrambler npm package across releases 8.14, 8.16, 8.17, and 8.20. The compromised releases remained available for approximately two hours before the developer deprecated the tainted packages and released what Jscrambler calls a safe version, 8.22. During that brief window Node Package Manager (npm) statistics show the malicious package was downloaded 1,479 times.

Jscrambler added that the incident "was limited to that package and did not affect any other Jscrambler products, including Webpage Integrity." The affected package was a dependency for four other Jscrambler packages; those dependent packages were also deprecated and replaced with new versions after the purge.

The infostealer: what the malicious code targeted

Application‑security firm Socket analyzed the unauthorized release and reported that the package contained an information‑stealing malware component. Socket’s findings list a broad set of targets for data collection, including:

  • Source code and project files
  • Developer credentials and secrets (Git, SSH, environment variables, CI/CD tokens)
  • Cloud credentials and secret managers (AWS, Azure, GCP, Kubernetes)
  • AI coding tools and MCP configurations (Claude, Cursor, Windsurf, VS Code, Zed)
  • Cryptocurrency wallets and seed phrases (MetaMask, Phantom, Coinbase, Exodus, Trust Wallet)
  • Browser data (cookies, saved credentials)
  • Messaging and collaboration apps (Slack, Discord, Telegram)

Socket noted that the malware used strong per‑string obfuscation implemented via the ChaCha20‑Poly1305 encryption algorithm, a choice the researchers said made reverse‑engineering the payload more difficult.

How the attackers gained access and Jscrambler's immediate steps

According to Jscrambler, the compromise was possible because npm publishing credentials had been compromised. The company said it has revoked those compromised credentials and implemented "additional security controls" in its publishing pipeline following the incident.

Jscrambler advised developers who used the malicious packages to treat their environments as compromised, rotate all secrets, and restore from safe backups. The company also urged customers to ensure they are running the latest version of the product.

Context: the package’s role and detection chain

The Jscrambler npm package is used with the vendor's Code Integrity product and, under normal conditions, receives about 17,000 weekly downloads. Jscrambler's package enables developers to upload JavaScript to the Jscrambler service to protect code from alteration and defend against real‑time modifications such as injected malicious code.

Socket, an application‑security company, was the party that detected and analyzed the compromise. Their analysis provided the detailed list of exfiltration targets and the technical observation about ChaCha20‑Poly1305 obfuscation.

What this means for developers, security teams, and customers

  • Developers: Jscrambler’s advisory is direct — treat development environments as compromised if the malicious packages were installed, rotate all credentials and secrets, and restore from verified backups.
  • Security teams: The incident highlights the window between publication and mitigation. Even a two‑hour compromise resulted in 1,479 downloads, underscoring the need to monitor software supply chains and to validate packages and their installation hooks (the malware executed during the npm 'preinstall' hook).
  • Customers and procurement: Ensure the product versions in use are updated to the vendor's safe release (8.22 or later, per Jscrambler) and verify that dependent packages have been replaced following the vendor’s deprecations.

The episode is a compact case study in supply‑chain speed: a compromised publishing credential, a malicious preinstall hook that reached nearly 1,500 installations in two hours, and a rapid vendor response that still left a measurable residue of risk. Jscrambler has revoked the credentials and added controls; developers and security teams have been given concrete, immediate remediation steps. Whether those measures will stop credential compromise and similarly fast distribution next time will be decided in the small window between publication and detection.

Source: https://www.bleepingcomputer.com/news/security/hackers-backdoor-jscrambler-npm-package-with-infostealer-malware/