malware npm

jscrambler

discovered 2026-07-11

Official jscrambler npm CLI client (60K monthly downloads) trojanized across 5 versions (8.14.0, 8.16.0, 8.17.0, 8.18.0, 8.20.0) on 2026-07-11 via account or CI compromise. Attack evolved in real-time across versions: 8.14.0-8.17.0 use a preinstall hook (dist/setup.js); 8.17.0 adds pnpm allowScripts bypass; 8.18.0/8.20.0 pivot to require()-time injection in dist/index.js and dist/bin/jscrambler.js, bypassing --ignore-scripts entirely. All 5 versions drop an identical binary payload container (dist/intro.js, 7.8 MB) containing Rust-compiled multi-platform infostealers. Targets browser credentials, Bitwarden vault data, and Steam sessions. Persistence via Windows Task Scheduler and macOS LaunchAgents. Maintainers fought back with clean 8.15.0 and 8.22.0 to reclaim the latest dist-tag.

Threat types

credential_stealer persistence

Malicious versions

  • 8.14.0
  • 8.16.0
  • 8.17.0
  • 8.18.0
  • 8.20.0

Indicators

Techniques

Read the full analysis →