Close Menu
geekfence.comgeekfence.com
    What's Hot

    TechCrunch Mobility: A robotaxi ultimatum

    July 12, 2026

    Choosing the Right AI Agent Memory Strategy: A Decision-Tree Approach

    July 12, 2026

    Handling Class Imbalance in ML: Better Alternatives to SMOTE

    July 12, 2026
    Facebook X (Twitter) Instagram
    • About Us
    • Contact Us
    Facebook Instagram
    geekfence.comgeekfence.com
    • Home
    • UK Tech News
    • AI
    • Big Data
    • Cyber Security
      • Cloud Computing
      • iOS Development
    • IoT
    • Mobile
    • Software
      • Software Development
      • Software Engineering
    • Technology
      • Green Technology
      • Nanotechnology
    • Telecom
    geekfence.comgeekfence.com
    Home»Cyber Security»Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install
    Cyber Security

    Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install

    AdminBy AdminJuly 12, 2026No Comments7 Mins Read0 Views
    Facebook Twitter Pinterest LinkedIn Telegram Tumblr Email
    Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install

    The jscrambler npm package was compromised, and simply installing its 8.14.0 release runs an infostealer on your machine. Published on July 11, 2026, the malicious version carries a preinstall hook that drops and executes a native binary, one build each for Windows, macOS, and Linux.

    Socket flagged the release six minutes after it was published. If you or one of your build systems pulled it in that window, the payload has already run with whatever access your install process had.

    None of this is in the prior release, 8.13.0. The package diff shows two new files under dist/: setup.js, a small loader, and intro.js. Despite the name, intro.js is not JavaScript but a roughly 7.8MB container packing three gzip-compressed native binaries, one each for Linux, Windows, and macOS.

    On install, setup.js picks the binary for the host operating system, writes it under a random name in the system temp directory, marks it executable, and launches it detached with its output hidden.

    The added files are in the published package, but nowhere in jscrambler’s public source. StepSecurity and SafeDep both pulled and analyzed the release, and both report no matching commit, tag, or pull request for 8.14.0 in the GitHub repository.

    Its latest tag is still 8.13.0. The version was pushed straight to npm under a legitimate maintainer account, bypassing the project’s normal release flow. That points to a compromised npm account or build pipeline. Which of the two has not been established.

    The payload is a Rust infostealer, built for all three platforms, that sweeps a developer machine for secrets and ships them to a drop server over TLS, according to Socket’s updated analysis and a statement to The Hacker News.

    The target list is broad and aimed at developers: cloud credentials from AWS, Azure, and Google Cloud, including the metadata endpoints CI runners use; cryptocurrency wallets and seed phrases from MetaMask, Phantom, and Exodus; the Bitwarden password manager vault; browser-stored passwords and cookies; and Discord, Slack, Telegram, and Steam sessions.

    It also goes after something newer: the config files for AI coding tools, including Claude Desktop, Cursor, Windsurf, VS Code, and Zed, where API keys and Model Context Protocol server credentials tend to sit.

    The binaries do more than steal. On Linux, the payload links the kernel’s BPF library and can load an eBPF program straight into the kernel from memory. That is a foothold in the kernel, not the userspace file access that the rest of the stealer relies on. StepSecurity and SafeDep both flagged the capability, though what the eBPF does is still being pulled apart.

    The Windows and macOS builds add anti-debugging checks, and the stealer wires in persistence to survive a reboot: a hidden Windows scheduled task set to relaunch every minute, and a macOS LaunchAgent that reloads on login. Its command-and-control details stay encrypted in the binary and never surfaced in static analysis.

    StepSecurity’s runtime monitoring caught the dropped binary reaching out to two hard-coded IP addresses and to Tor infrastructure, the first network indicators published for the campaign.

    jscrambler is a build-time tool, installed as a development dependency or run from CI. Those environments hold what the stealer collects: cloud keys, deploy tokens, and source code that a build or CI process can reach.

    Source: Step Security

    The package sees about 15,800 downloads a week, and how many pulled the compromised version is not yet known. That is a far smaller footprint than the packages hit in the big npm compromises of the past year, which pull billions of downloads a week between them.

    For a stealer aimed at build machines, though, reach was never the point. The access is.

    The Shai-Hulud worm ran from an install hook to steal tokens and spread through hundreds of packages that September. The widely used chalk and debug packages were taken over through a phished maintainer account and used to reroute crypto payments.

    In March, a hijacked account pushed a cross-platform trojan into Axios, an HTTP library with more than 83 million weekly downloads. What makes the timing here sharp is that npm had just moved against this exact route: npm 12 shipped on July 8, three days before this release, with dependency install scripts off by default.

    On npm 12, a preinstall hook like this one does not run unless someone approves it. Older clients still run them automatically.

    Version 8.15.0 has since replaced it at the top of npm’s version list, published from the same maintainer account and showing none of the malware alerts 8.14.0 tripped: no install script, no bundled binary. But 8.14.0 was not pulled.

    It is still on npm, so any lockfile or command pinned to it keeps installing the stealer. Only the main CLI package was hit; the jscrambler plugins for webpack, gulp, Metro, and grunt stayed on their clean June releases, with no install hooks.

    What to do now

    1. Get off 8.14.0. Move to 8.15.0, or pin to 8.13.0 for a release from before the incident, and clear jscrambler@8.14.0 from lockfiles and caches.
    2. Work out whether you installed 8.14.0. Check lockfiles and package-manager logs for jscrambler@8.14.0, and CI records for any run of dist/setup.js, from July 11 on. The loader drops its payload under a random name in the temp directory, so there is no fixed binary name to grep for; line up install timestamps against Node child processes and temp-directory execution instead. On Windows, check Task Scheduler for hidden tasks; on macOS, inspect ~/Library/LaunchAgents for unfamiliar plists.
    3. If 8.14.0 ran on a machine, treat every secret it could reach as stolen, not just exposed. Rotate cloud keys, npm and GitHub tokens, and AI-tool and MCP API keys; revoke Discord, Slack, browser, and Bitwarden sessions; and move any crypto out of wallets on that host. Block the two command-and-control IPs listed below.

    The cleanup was fast, but a stealer does its work in the seconds after install. A build pinned to 8.14.0, on an older client that runs install scripts, still runs the payload. And on any machine that already ran it, the secrets were gone before 8.15.0 ever reached the top of the list.

    Indicators of compromise

    Malicious package: jscrambler@8.14.0. SHA-256 hashes for the added files and their decompressed payloads:

    • dist/setup.js: a742de963f14a92d24ebcbc7b44ac867e23a20d31d1b0094a13a4f83287f4e60
    • dist/intro.js: a41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86
    • Linux payload: fbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bd
    • Windows payload: b7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903
    • macOS payload: c8fd47d36bdf7c825378593ab82ed8c24d1dc52e26b507812393e24e1d5201fd

    Network endpoints StepSecurity observed at runtime. The two IPs are the direct attacker endpoints; the binary also reaches Tor infrastructure, likely for connectivity or routing:

    • C2 IP: 37.27.122[.]124
    • C2 IP: 57.128.246[.]79
    • Tor infrastructure: check.torproject[.]org, archive.torproject[.]org

    On-host artifacts: a randomly named hidden file in the system temp directory, of the form .{random} or .{random}.exe on Windows, plus a hidden Windows scheduled task or a macOS LaunchAgent for persistence.

    Update: More Malicious Releases, and Jscrambler Confirms a Compromised npm Credential

    Jscrambler has confirmed the cause: the attacker published the packages using a compromised npm publishing credential. Socket now ties five malicious jscrambler versions to the same actor, pushed over about three hours, and all carrying the same cross-platform infostealer described above.

    They are 8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.0. Jscrambler’s advisory lists four of them and does not mention 8.18.0, so treat all five as suspect until the two accounts agree. Version 8.15.0, published between the first two, is on neither list and appears clean.

    The delivery method changed partway through. Socket reports that 8.14.0, 8.16.0, and 8.17.0 run the malware from a preinstall hook, the same route as the first release. In 8.18.0 and 8.20.0, the dropper was moved into the package’s main code and CLI, so it fires when the package is imported or run, and npm install –ignore-scripts does not stop it. Jscrambler’s advisory describes only the preinstall vector.

    Jscrambler says the intrusion was limited to the jscrambler package for its Code Integrity product and did not reach its other products. It revoked and rotated its publishing credentials and secrets, hardened its publishing pipeline, and deprecated the malicious releases, though deprecation still leaves them installable by exact version.

    Its forensic investigation is ongoing. Both Jscrambler and Socket point to 8.22.0 as the clean release to move to.

    If you installed any affected version, upgrade to 8.22.0 and audit the workstation or CI runner that pulled it, rotating the credentials listed in the steps above.

    Jscrambler says npm currently reports zero downloads of the malicious versions but cautions that the count lags by hours and is still being verified, so it is not yet proof that nothing ran.



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

    Related Posts

    Felons, Fraudsters Flog Offensive Cybersecurity Startup – Krebs on Security

    July 11, 2026

    ESET Threat Report H1 2026

    July 10, 2026

    5 Settings That Make Readings Easier to See

    July 9, 2026

    SharpHound Recon Attack – How AI enhanced the threat hunt

    July 8, 2026

    Two arrested over credit card phishing

    July 7, 2026

    U.S. Government Entity Paid Kairos $1 Million in Data-Theft Extortion Case

    July 5, 2026
    Top Posts

    Understanding U-Net Architecture in Deep Learning

    November 25, 202560 Views

    Hard-braking events as indicators of road segment crash risk

    January 14, 202631 Views

    Redefining AI efficiency with extreme compression

    March 25, 202629 Views
    Don't Miss

    TechCrunch Mobility: A robotaxi ultimatum

    July 12, 2026

    Welcome back to TechCrunch Mobility, your hub for the future of transportation and now, more…

    Choosing the Right AI Agent Memory Strategy: A Decision-Tree Approach

    July 12, 2026

    Handling Class Imbalance in ML: Better Alternatives to SMOTE

    July 12, 2026

    Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install

    July 12, 2026
    Stay In Touch
    • Facebook
    • Instagram
    About Us

    At GeekFence, we are a team of tech-enthusiasts, industry watchers and content creators who believe that technology isn’t just about gadgets—it’s about how innovation transforms our lives, work and society. We’ve come together to build a place where readers, thinkers and industry insiders can converge to explore what’s next in tech.

    Our Picks

    TechCrunch Mobility: A robotaxi ultimatum

    July 12, 2026

    Choosing the Right AI Agent Memory Strategy: A Decision-Tree Approach

    July 12, 2026

    Subscribe to Updates

    Please enable JavaScript in your browser to complete this form.
    Loading
    • About Us
    • Contact Us
    • Disclaimer
    • Privacy Policy
    • Terms and Conditions
    © 2026 Geekfence.All Rigt Reserved.

    Type above and press Enter to search. Press Esc to cancel.