[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fLM40Q-3Ih1LC9IvUtKUduR3KgM35Tng7qexoibhayk8":3},{"article":4,"iocs":47},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":24,"category":25,"article_tags":29},"9aa90902-56d6-4a88-b374-10c3aae813e1","jscrambler npm Package Compromised in Supply Chain Attack","jscrambler-npm-package-compromised-in-supply-chain-attack-680fb7","A compromised release of the popular jscrambler npm package introduced hidden native binaries that execute automatically during npm install, exposing users to a supply chain attack before any application code runs. The malicious 8.14.0 release, published on July 11, adds an undocumented preinstall hook that invokes dist\u002Fsetup.js. It also introduces new files, including dist\u002Fsetup.js and dist\u002Fintro.js, along with platform-specific binaries for Linux, macOS, and Windows embedded in an obfuscated CSI container. None of these files or the install hook exist in the previous release, 8.13.0. Socket detected the compromised package 6 minutes after publication. The package selects and executes one of three bundled binaries depending on whether it is installed on Windows, macOS, or Linux. At a glance Compromised package: jscrambler@8.14.0 Published: July 11, 2026 Weekly downloads: ~15,800 Time to detection: 6 minutes Key findings Undocumented preinstall hook executes code automatically during npm install. Hidden native binaries added for Linux, macOS, and Windows. Payloads are embedded in an obfuscated CSI container. Install-time components (dist\u002Fsetup.js and dist\u002Fintro.js) are entirely new in version 8.14.0. These behaviors are absent from the previous release, 8.13.0. # The compromised jscrambler package is used to integrate Jscrambler’s JavaScript code-protection tooling into application build pipelines. Developers commonly install it as a development dependency or invoke it through CI systems to process production builds. Because the malicious code runs through a preinstall hook, simply installing jscrambler@8.14.0 is enough to trigger the bundled platform-specific binary. Users do not need to import the package or run the Jscrambler CLI. This creates potential exposure across developer workstations, automated build systems, and CI environments. Depending on where the package was installed, the malicious binary may have executed with access to source code, environment variables, build credentials, deployment tokens, and other secrets available to the npm process. The package receives approximately 15,800 weekly downloads, although the number of users who installed the compromised version is not yet known. Socket detected and flagged version 8.14.0 six minutes after it was published. Recommendation # Users should remove jscrambler@8.14.0, rotate any credentials accessible to affected development or CI environments, review installation logs for execution of dist\u002Fsetup.js, and revert to a verified clean release. Pin to version 8.13.0 or another verified clean release until the maintainers publish a remediation. Socket has reported the compromised release to the Jscrambler maintainers, and a public tracking issue is available on GitHub: https:\u002F\u002Fgithub.com\u002Fjscrambler\u002Fjscrambler\u002Fissues\u002F322 Technical Analysis # The compromised version 8.14.0 ships two malicious files under dist\u002F. setup.js is a small loader that runs on install via a preinstall hook such that is gets executed whether or not the package is ever actually imported. intro.js, despite its name and .js extension, is not JavaScript at all. It is an approximately 7.8 MB large binary container marked with a custom five-byte header (1b 43 53 49 01, i.e. \\x1bCSI\\x01), whose sixth byte is a payload count. The container packs three gzip-compressed native executables, one per operating system: A Linux x86-64 ELF A Windows x86-64 PE32+ An Apple Silicon (arm64) macOS Mach-O On install or run, setup.js: Reads the container. Selects the single blob matching process.platform. Decompresses it to a randomly named hidden file in the system temp directory (appending .exe on Windows). Marks it executable. Launches it with spawn(..., { detached: true, stdio: 'ignore', windowsHide: true }) followed by unref(). In plain terms: the loader silently drops and executes a native binary in the background, tailored to the victim's operating system. The embedded executables are Rust-built, cross-platform infostealers (Linux x86-64, Windows x86-64, macOS arm64). Analysis of the payloads reveals a broad, developer-focused credential and secret harvester. Its sensitive configuration strings are individually encrypted with ChaCha20-Poly1305; we recovered approximately 2,400 of them. Capabilities and Target Surface # The malware stores its sensitive strings encrypted (see String Obfuscation below). Once decrypted, the target surface is extensive and clearly oriented toward developer and cloud-operator machines — a rational choice for an npm-delivered payload, since the victims are developers. Cryptocurrency wallets and seed phrases Browser-extension wallets are targeted by their extension IDs: MetaMask — nkbihfbeogaeaoehlefnkodbefgpgknn Trust Wallet — egjidjbpglichdcondbcbdnbeeppgdph Coinbase Wallet — hnfanknocfeofbddgcijnmhnfnkdnaad Phantom — bfnaelmomeimhlpmgjnjophhpkkoljpa The Exodus wallet (server.exodus.io) is also targeted. The config contains vault- and seed-extraction keys — HD Key Tree, mnemonic, seedPhrase, recoveryPhrase, and seed — plus scrypt KDF parameters (salt, iterations, N, r, p). This indicates an attempt to decrypt wallet vaults, not merely copy files. AI coding assistants and MCP server configs A distinctive and current focus: the malware enumerates configuration for AI developer tooling, which frequently holds API keys and Model Context Protocol (MCP) server credentials. Targets include: Claude Desktop — .config\u002FClaude\u002Fclaude_desktop_config.json, .claude.json Cursor — .cursor\u002Fmcp.json Windsurf — .codeium\u002Fwindsurf\u002Fmcp_config.json Factory — .factory\u002Fmcp.json Zed — .config\u002Fzed\u002Fsettings.json, context_servers VS Code \u002F VS Code Insiders — settings.json, .mcp.json, mcpServers opencode Cloud credentials The payload targets all three major clouds: GCP — metadata.google.internal, the compute-metadata service-account token endpoint, GOOGLE_APPLICATION_CREDENTIALS, .config\u002Fgcloud, credentials.db, access_tokens.db, application_default_credentials.json, and Secret Manager access. AWS — the ECS task-metadata endpoint 169.254.170.2, secretsmanager.GetSecretValue \u002F ListSecrets, and SSM Parameter Store AmazonSSM.GetParameters \u002F DescribeParameters. Azure — the IMDS endpoint 169.254.169.254 and management.azure.com. Messaging and collaboration Discord — stable, PTB, and Canary bundle IDs; \u002Fapi\u002Fv9\u002Fusers\u002F@me and guild enumeration. Slack — .slack.com, \u002Fapi\u002Fauth.test. Telegram Desktop — tdata, key_datas. Browsers, gaming, and OS keyrings Chromium-family browsers — Chrome, Chromium, Edge, Brave, Vivaldi, and Opera (both Linux profile paths and macOS bundle identifiers), read via embedded LevelDB and SQLite. Firefox — profiles.ini, cookies.sqlite, prefs.js. Steam — session theft via steamLoginSecure, loginusers.vdf, ConnectCache. KDE KWallet — OS keyring access. Privilege escalation, persistence, and reconnaissance Local privilege escalation is attempted via sudo -S -p (password on stdin) and systemd-run --system --no-ask-password. Persistence references include systemd user and system units, crontab, and macOS LaunchAgents. Host reconnaissance and anti-analysis strings include check.torproject.org with \u002Fapi\u002Fip, the public resolvers 1.1.1.1 and 8.8.8.8, and machine fingerprinting via \u002Fetc\u002Fmachine-id, \u002Fvar\u002Flib\u002Fdbus\u002Fmachine-id, and \u002Fsys\u002Fclass\u002Fdmi\u002Fid\u002Fboard_serial. # The malware's sensitive strings are not stored in cleartext. Each is individually encrypted with ChaCha20-Poly1305 (IETF, 12-byte nonce) and decrypted on demand into lazily initialized statics. Per string, the binary embeds: A 32-byte key in .rodata (loaded in the decompiled code as a movups\u002Fmovupd pair of adjacent 16-byte reads). A 12-byte nonce materialized inline from immediates (a movabs imm64 followed by a mov dword ptr [...], imm32). The ciphertext in .rodata, whose trailing 16 bytes are the Poly1305 authentication tag. An empty AAD. In the Linux binary, the per-string decrypt helper is at 0x1782f9, and a large lazy-initializer at 0x25c5e5 decrypts the wallet-targeting block into .bss statics. The standalone ChaCha20 core is at 0x425340; the config AEAD's Poly1305 clamp constant is at 0x2e2c0, distinct from the rustls TLS instance whose clamp is at 0xbaee0. Because Poly1305 is an authenticator, a wrong key, nonce, or ciphertext boundary fails tag verification — decryption is self-validating. We recovered ~2,421 strings this way, cross-validated with two independent AEAD implementations (OpenSSL and libsodium) yielding byte-identical plaintext with zero tag mismatches. A reproduction outline is in the appendix. Network exfiltration Static analysis confirmed outbound exfiltration, carried over TLS via rustls. The payload contains a literal POST \u002Fupload HTTP\u002F1.1 request with a multipart\u002Fform-data body, consistent with uploading harvested data to a drop server. It also constructs numerous POST\u002FPUT requests that query cloud and orchestration APIs using stolen credentials: cloud metadata services, Kubernetes (\u002Fapi\u002Fv1\u002Fnamespaces), AWS Secrets Manager and SSM, and others. Indicators of Compromise # Malicious npm package jscrambler@8.14.0 SHA-256 Hashes • dist\u002Fsetup.js —a742de963f14a92d24ebcbc7b44ac867e23a20d31d1b0094a13a4f83287f4e60 • dist\u002Fintro.js — a41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86 • package.json — bba32ddeab075a5e5015eec50f5d2af364c95b848732c714aea6b6baf78f49f0 Decompressed native payload SHA-256 • Linux ELF — fbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bd • Windows PE — b7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903 • macOS Mach-O — c8fd47d36bdf7c825378593ab82ed8c24d1dc52e26b507812393e24e1d5201fd","The popular jscrambler npm package, version 8.14.0, was compromised and included hidden native binaries that execute automatically during the npm install process. This supply chain attack targets developer workstations and CI environments, potentially exposing sensitive information like API keys, credentials, and cryptocurrency wallet data. The malicious version was detected six minutes after publication.","jscrambler npm package compromised, injecting native binaries during install.","Research\u002FSecurity NewsFake Braintree NuGet Package Skims Credit Cards and Harvests Merchant CredentialsA malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps. By Joseph Edwards - Jul 09, 2026","https:\u002F\u002Fsocket.dev\u002Fblog\u002Fjscrambler-supply-chain-attack?utm_medium=feed","https:\u002F\u002Fcdn.sanity.io\u002Fimages\u002Fcgdhsj6q\u002Fproduction\u002Ff444d7fa1f0fb3405396ade190a25be2a7505938-996x592.png?w=1000&q=95&fit=max&auto=format","2026-07-11T15:36:39.053+00:00","2026-07-11T18:00:12.867066+00:00",9,[18,21],{"name":19,"type":20},"jscrambler","product",{"name":22,"type":23},"npm","technology","26b0b636-0e31-4db1-bffb-61bdf9f20a58",{"id":24,"icon":26,"name":27,"slug":28},null,"Supply Chain","supply-chain",[30,32,37,42],{"category":31},{"id":24,"icon":26,"name":27,"slug":28},{"category":33},{"id":34,"icon":26,"name":35,"slug":36},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":38},{"id":39,"icon":26,"name":40,"slug":41},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",{"category":43},{"id":44,"icon":26,"name":45,"slug":46},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[48,52,55,58,61,64],{"type":49,"value":50,"context":51},"hash_sha256","a742de963f14a92d24ebcbc7b44ac867e23a20d31d1b0094a13a4f83287f4e60","SHA-256 hash for dist\u002Fsetup.js in the compromised package.",{"type":49,"value":53,"context":54},"a41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86","SHA-256 hash for dist\u002Fintro.js in the compromised package.",{"type":49,"value":56,"context":57},"bba32ddeab075a5e5015eec50f5d2af364c95b848732c714aea6b6baf78f49f0","SHA-256 hash for package.json in the compromised package.",{"type":49,"value":59,"context":60},"fbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bd","SHA-256 hash for the decompressed Linux ELF payload.",{"type":49,"value":62,"context":63},"b7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903","SHA-256 hash for the decompressed Windows PE payload.",{"type":49,"value":65,"context":66},"c8fd47d36bdf7c825378593ab82ed8c24d1dc52e26b507812393e24e1d5201fd","SHA-256 hash for the decompressed macOS Mach-O payload."]