Back to advisories

Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install

jscrambler npm package v8.14.0 was compromised and distributed a Rust-based infostealer that executes during npm install. Any developer who installed this version had malware run on their machine with access to cloud credentials, crypto wallets, passwords, and AI tool configs. This affects organizations using jscrambler in their supply chain and the developer machines of anyone who pulled this package.

CRITICALAdvisoryJul 13, 2026
Action required
Immediate: Check npm audit logs and package-lock.json files across your environment for jscrambler 8.14.0. Isolate any affected developer machines, revoke all cloud credentials and API keys used on those systems, and assume credential compromise. Require a rollback to v8.13.x or earlier and block v8.14.0 in your npm proxy.
Affected products
jscramblernpm