Hackers backdoor Jscrambler npm package with infostealer malware
Jscrambler npm package backdoored with infostealer malware, downloaded 1,479 times.
Summary
Hackers compromised the Jscrambler npm package, publishing malicious versions (8.14, 8.16, 8.17, 8.20) containing an information-stealing malware. The malware, which executed during the 'preinstall' hook, targeted a wide range of sensitive data including credentials, cloud secrets, cryptocurrency wallets, and browser data. The malicious package was available for two hours and downloaded 1,479 times before being deprecated by Jscrambler.
Full text
Hackers backdoor Jscrambler npm package with infostealer malware By Bill Toulas July 13, 2026 03:44 PM 0 The Jscrambler client-side web security company disclosed that a threat actor published a malicious version of its npm package that has been downloaded almost 1,500 times. The malicious Jscrambler package spanned releases 8.14, 8.16, 8.17, and 8.20 and included information-stealing malware that executed during the ‘preinstall’ hook. “Today, we identified the unauthorized publication of a malicious version of our jscrambler npm package, which is used with our Code Integrity product,” Jscrambler says in a warning on Saturday. “This incident was limited to that package and did not affect any other Jscrambler products, including Webpage Integrity,” the company said. Although Jscrambler reacted quickly, the malicious package lasted for two hours before the developer deprecated it and released the safe version 8.22. The affected package was a dependency for four other Jscrambler packages, which the vendor has also deprecated and replaced with new versions. Statistical data from Node Package Manager (npm) shows that the malicious package was downloaded 1,479 times during the two-hour window. Jscrambler is a commercial platform for protecting web and mobile JavaScript applications from reverse engineering and tampering. Its npm package has 17,000 weekly downloads and enables app developers to upload their JavaScript to Jscrambler’s service to protect the code from alteration. This helps defend against real-time modifications like injecting malicious code. Application-security company Socket detected the compromise and analyzed the unauthorized Jscrambler release. The researchers say that the package included an infostealer that targeted multiple types of sensitive data: Source code and project files Developer credentials and secrets (Git, SSH, environment variables, CI/CD tokens) Cloud credentials and secret managers (AWS, Azure, GCP, Kubernetes) AI coding tools and MCP configurations (Claude, Cursor, Windsurf, VS Code, Zed) Cryptocurrency wallets and seed phrases (MetaMask, Phantom, Coinbase, Exodus, Trust Wallet) Browser data (cookies, saved credentials) Messaging and collaboration apps (Slack, Discord, Telegram) Socket reports that the malware used strong per-string obfuscation via the ChaCha20-Poly1305 encryption algorithm, which made it difficult to reverse-engineer the code. According to Jscrambler, the compromise was possible due to compromised npm publishing credentials, which the company has revoked. Following the incident, additional security controls have been implemented for the publishing pipeline. Developers who have used the malicious npm packages should treat their environments as compromised, rotate all secrets, and restore from safe backups. Jscrambler recommends that customers make sure that they are using the latest version of the product. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: Popular node-ipc npm package compromised to steal credentialsNew Shai-Hulud malware wave compromises 600 npm packagesShai Hulud attack ships signed malicious TanStack, Mistral npm packagesNew IronWorm malware hits 36 packages in npm supply-chain attackInjective SDK on npm infected with cryptocurrency wallet stealer
Indicators of Compromise
- malware — infostealer