[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ffATHF-kqwBdgzOq9w2iTTwuGpQayu_mf8uDtwg16kks":3},{"article":4,"iocs":55},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":32,"category":33,"article_tags":37},"de25b805-5046-45cc-a491-b8541fee87d0","Multiple Jscrambler Packages Impacted by Supply Chain Attack","multiple-jscrambler-packages-impacted-by-supply-chain-attack-5ee013","A threat actor poisoned several Jscrambler NPM package versions to drop a cross-platform credential stealer. The post Multiple Jscrambler Packages Impacted by Supply Chain Attack appeared first on SecurityWeek.","A supply chain attack impacted multiple Jscrambler NPM packages, with a threat actor publishing malicious versions containing a preinstall hook to drop a cross-platform credential stealer. The malware targets credentials, cryptocurrency wallets, AI coding assistants, and cloud configurations, attempting to exfiltrate data and achieve persistence. Jscrambler has since deprecated the malicious versions and implemented enhanced security controls.","Malicious Jscrambler NPM packages dropped credential stealer via preinstall hook.","Several malicious versions of Jscrambler’s NPM package were published over the weekend as part of a supply chain attack involving compromised credentials. The popular NPM package is used within the Jscrambler Code Integrity product, a JavaScript protection solution that turns web and mobile applications self-defensive and tamper-resistant. The attack started on July 11, when a threat actor used the NPM publishing credentials to push a modified version of the package, containing a preinstall hook to drop binaries during the installation process. While Jscrambler was responding to the incident, the threat actor published additional malicious iterations of the package, namely 8.16, 8.17, 8.18, and 8.20. The first clean version of the package is 8.22. As the NPM library is a dependency for other packages, the incident also affected Jscrambler-webpack-plugin version 8.6.2, gulp-Jscrambler version 8.6.2, grunt-Jscrambler version 8.5.2, and Jscrambler-metro-plugin version 9.0.2. According to Jscrambler, NPM data shows that the malicious package versions were downloaded 1,479 times before they were deprecated and replaced with clean versions.Advertisement. Scroll to continue reading. “Our investigation indicates that the attacker was able to publish the package using an NPM publishing credential. We have revoked and rotated all relevant credentials, passwords, and secrets, and have implemented additional security controls around our publishing process while the investigation continues,” Jscrambler said. According to supply chain security firm Socket, the malicious package versions included the preinstall hook, two new files under dist\u002F, namely setup.js and intro.js, and binaries targeting Linux, macOS, and Windows. When the malicious package version is installed, the hook triggers the infection chain: setup.js is executed to load and execute a platform-specific binary from intro.js. Written in Rust, the binaries are information stealers targeting credentials and secrets on developer and cloud-operator machines, cryptocurrency wallets and seed phrases, AI coding assistants and MCP server configurations, messaging and collaboration applications, browsers, Steam sessions, and OS keyrings. The malware also attempts to elevate its privileges and achieve persistence, and performs host reconnaissance. Socket observed the malware exfiltrating harvested information over TLS via rustls, likely to a drop server. Additionally, the malware constructed requests to query cloud and orchestration APIs using stolen credentials. Users are advised to immediately remove the affected Jscrambler NPM package versions from their machines, scan the system for malware, and rotate all credentials, tokens, and API keys. Related: Ghost Accounts Abuse GitHub API in Mass Recon Campaign Related: North Korean Hackers Target Open Source Developers in Supply Chain Attacks Related: Network of 200 GitHub Repositories Used for Malware Infection Related: FortiBleed Campaign Linked to INC, Lynx Ransomware Attacks Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Progress Prompts ShareFile Storage Zone Controller Shutdown Amid Security ConcernsGhost Accounts Abuse GitHub API in Mass Recon CampaignOkta Warns of Vishing Attacks Targeting Microsoft 365 CustomersGigaWiper Combines Multiple Malware for System-Level SabotageNetwork of 200 GitHub Repositories Used for Malware Infection12 Million Impacted by Data Breach at Japanese Telco KDDI15-Year-Old Linux Vulnerability ‘GhostLock’ Earns Researchers $92k From GoogleMount Royal University Confirms Data Stolen in Ransomware Attack Latest News Valarian Raises $50 Million for Sovereign Infrastructure Control LayerPentagon Suspends CMMC Phase 2 as It Rethinks Contractor Cybersecurity RulesHacker Conversations: Jesse McGraw (GhostExodus), From Blackhat Hacker to RedemptionCybersecurity M&A Roundup: 37 Deals Announced in June 2026RabbitMQ Vulnerability Threatens Enterprise SystemsZimbra Patches Critical Code Execution VulnerabilityEU Targets Russian Intelligence Officers Accused of Running a Yearslong Cyber Spying CampaignOrganizations Warned of Exploited Joomla Extension Vulnerabilities Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveBlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.Solana Foundation has appointed Michael Coates as Chief Information Security Officer.Michael Sikorski has joined Coinbase as Chief Information Security Officer.More People On The MoveExpert Insights The Shift Toward Business-Aligned Risk Management Moving from isolated, technical data to a continuous risk lifecycle can help organizations align security controls with actual business consequences. (Steve Durbin) How to Conduct a Successful Audit of AI-Driven Software Development As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they reach production. (Matias Madou) Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype. (Joshua Goldfarb) The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email","https:\u002F\u002Fwww.securityweek.com\u002Fmultiple-jscrambler-packages-impacted-by-supply-chain-attack\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2026\u002F06\u002Fsupply-chain-threat.webp","2026-07-14T09:04:39+00:00","2026-07-14T10:00:19.910143+00:00",9,[18,21,23,25,27,29],{"name":19,"type":20},"Jscrambler Code Integrity","product",{"name":22,"type":20},"Jscrambler-webpack-plugin",{"name":24,"type":20},"gulp-Jscrambler",{"name":26,"type":20},"grunt-Jscrambler",{"name":28,"type":20},"Jscrambler-metro-plugin",{"name":30,"type":31},"NPM","technology","26b0b636-0e31-4db1-bffb-61bdf9f20a58",{"id":32,"icon":34,"name":35,"slug":36},null,"Supply Chain","supply-chain",[38,40,45,50],{"category":39},{"id":32,"icon":34,"name":35,"slug":36},{"category":41},{"id":42,"icon":34,"name":43,"slug":44},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":46},{"id":47,"icon":34,"name":48,"slug":49},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",{"category":51},{"id":52,"icon":34,"name":53,"slug":54},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[56,59,63,66,69,72],{"type":44,"value":57,"context":58},"credential stealer","Malware dropped by malicious Jscrambler NPM packages.",{"type":60,"value":61,"context":62},"mitre_attack","T1547.001","Preinstall hook used for execution during package installation.",{"type":60,"value":64,"context":65},"T1059.001","Execution of setup.js script.",{"type":60,"value":67,"context":68},"T1071.001","Exfiltration over TLS.",{"type":60,"value":70,"context":71},"T1548.002","Privilege escalation attempts.",{"type":60,"value":73,"context":74},"T1083","Host reconnaissance."]