jscrambler
discovered 2026-07-11Official jscrambler npm CLI client (60K monthly downloads) trojanized across 5 versions (8.14.0, 8.16.0, 8.17.0, 8.18.0, 8.20.0) on 2026-07-11 via account or CI compromise. Attack evolved in real-time across versions: 8.14.0-8.17.0 use a preinstall hook (dist/setup.js); 8.17.0 adds pnpm allowScripts bypass; 8.18.0/8.20.0 pivot to require()-time injection in dist/index.js and dist/bin/jscrambler.js, bypassing --ignore-scripts entirely. All 5 versions drop an identical binary payload container (dist/intro.js, 7.8 MB) containing Rust-compiled multi-platform infostealers. Targets browser credentials, Bitwarden vault data, and Steam sessions. Persistence via Windows Task Scheduler and macOS LaunchAgents. Maintainers fought back with clean 8.15.0 and 8.22.0 to reclaim the latest dist-tag.
Threat types
Malicious versions
- 8.14.0
- 8.16.0
- 8.17.0
- 8.18.0
- 8.20.0
Indicators
- sha256 fbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bddrops
- sha256 b7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903drops
- sha256 c8fd47d36bdf7c825378593ab82ed8c24d1dc52e26b507812393e24e1d5201fddrops
- sha256 9eeffcb5c3445ef9512f7776045f99ea23f9ebed989f8570bc4634b4e340de5dindicates
- sha256 a41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86drops
- sha256 a742de963f14a92d24ebcbc7b44ac867e23a20d31d1b0094a13a4f83287f4e60drops
Techniques
- ttp T1195.002 Compromise Software Supply Chainuses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttp T1555.003 Credentials from Password Stores: Web Browsersuses
- ttp T1539 Steal Web Session Cookieuses
- ttp T1053.005 Scheduled Task/Job: Scheduled Taskuses
- ttp T1543.001 Create or Modify System Process: Launch Agentuses
- ttp T1027 Obfuscated Files or Informationuses
- ttp T1562.001 Impair Defenses: Disable or Modify Toolsuses