Compromised jscrambler 8.14.0 npm Release releases Rust Infostealer during installation

The jscrambler npm package has been compromised, and just installing its 8.14.0 release runs infostealer on your machine. Published on July 11, 2026, the malicious version contains a pre-installation hook that downloads and executes a native binary, one built for Windows, macOS, and Linux.
Socket marked the release six minutes after publication. If you or one of your build programs dragged you to that window, the payment is already active with any access your installation process had.
None of the previous releases, 8.13.0. The package diff shows two new files under dist/: setup.js, a small loader, and intro.js. Despite the name, intro.js is not JavaScript but an approximately 7.8MB container that packs three gzip-compressed packages, one each for Linux, Windows, and macOS.
On installation, setup.js selects a binary for the host’s operating system, writes it under a random name in the system’s temp directory, marks it as executable, and opens it with closed and hidden output.
Additional files are in the published package, but nowhere in the jscrambler community source. StepSecurity and SafeDep have both pulled and analyzed the release, and neither have the same commit, tag, or pull request for 8.14.0 in the GitHub repository.
Its latest version is 8.13.0. The version is pushed directly to npm under the official maintainer account, bypassing the project’s normal release flow. That points to a compromised npm account or build pipeline. Which of the two is yet to be established.
The payload is a Rust infostealer, built for all three platforms, that sweeps a developer’s machine to encrypt and send them to a pull server over TLS, according to an updated analysis by Socket and a statement on The Hacker News.
The target list is broad and targeted at developers: cloud credentials from AWS, Azure, and Google Cloud, including metadata endpoints used by CI runners; cryptocurrency wallets and seed phrases from MetaMask, Phantom, and Exodus; Bitwarden password manager vault; passwords and cookies stored by the browser; and sessions for Discord, Slack, Telegram, and Steam.
It also follows something new: configuration files for AI coding tools, including Claude Desktop, Cursor, Windsurf, VS Code, and Zed, where API keys and Model Context Protocol server credentials often reside.
Binaries do more than steal. On Linux, the payload links the BPF library for the kernel and can load the eBPF program directly into the kernel from memory. That’s a hold on the kernel, not the local user file access that every stealer relies on. StepSecurity and SafeDep both have marked capabilities, although what eBPF does is still classified.
Windows and macOS builds add anti-debugging checks, and hacking threads persist to enable restarts: a hidden Windows scheduled task is set to restart every minute, and the macOS LaunchAgent reloads on login. Its command and control information remains encrypted and is never exposed to static analysis.
StepSecurity’s runtime monitoring caught the downloaded binary reaching two hard-coded IP addresses and the Tor infrastructure, the first published network indicators of the campaign.
jscrambler is a build-time tool, included as a development dependency or from CI. Those places hold what the thief collects: cloud keys, donation tokens, and source code that can’t be accessed by a CI architecture or process.
![]() |
| Source: Security Initiative |
The package sees about 15,800 downloads per week, and how many download the corrupted version is not yet known. That’s a much smaller step than the packages found in last year’s big npm release, which drew billions of downloads a week between them.
For a thief destined to build machines, however, access was not the most important thing. Access is a thing.
The Shai-Hulud worm moved from the installation hook to steal tokens and spread to hundreds of packages that September. The most widely used hacking and debugging packages are taken from a fraudulent guardian account and used to redirect crypto payments.
In March, a hacked account pushed a cross-platform trojan to Axios, an HTTP library with more than 83 million weekly downloads. What makes the timing easier here is that npm had recently moved against this exact path: npm 12 was shipped on July 8, three days before this release, dependency installation scripts are disabled by default.
As of npm 12, a preinstallation hook like this doesn’t work unless someone approves it. Older clients still use them by default.
Version 8.15.0 has since moved to the top of the npm version list, published from the same maintainer account and showing none of the malware warnings 8.14.0 spun: no install script, no compiled binary. But 8.14.0 was not pulled.
It’s still in npm, so any lock file or command pinned to it keeps installing the stealer. Only the main CLI package was hit; jscrambler plugins for webpack, gulp, Metro, and grunt remain in their clean June release, without installation hooks.
What you have to do now
- Exit 8.14.0. Move to 8.15.0, or push to 8.13.0 for pre-release, and delete jscrambler@8.14.0 from lock files and caches.
- Check if you have installed 8.14.0. Check the lock files and package manager logs for jscrambler@8.14.0, as well as the CI logs for any run of dist/setup.js, from July 11 onwards. The loader drops its payload under a random name in a temporary directory, so no fixed binary name will be found by grep; enter installation timestamps against Node’s child processes and temporary list executions instead. In Windows, check the Task Manager for hidden tasks; on macOS, check ~/Library/LaunchAgents for an unusual list.
- If 8.14.0 is running on the machine, treat every secret you can access as stolen, not just public. Rotate cloud keys, npm and GitHub tokens, and AI-tool and MCP API keys; cancel Discord, Slack, browser, and Bitwarden sessions; and withdraw any crypto from wallets on that host. Block the two control and control IPs listed below.
Cleaning was quick, but the cleaner did its job in seconds after installation. The build pinned in 8.14.0, on an older client that uses install scripts, still processes checkout. And on any machine you’ve already run, the secrets were gone before 8.15.0 hit the top of the list.
Consensus indicators
Malicious package: jscrambler@8.14.0. SHA-256 hashes of additional files and their compressed payloads:
- dist/setup.js: a742de963f14a92d24ebcbc7b44ac867e23a20d31d1b0094a13a4f83287f4e60
- dist/intro.js: a41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86
- Linux download: fbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bd
- Windows payload: b7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903
- macOS download: c8fd47d36bdf7c825378593ab82ed8c24d1dc52e26b507812393e24e1d5201fd
Network endpoints StepSecurity detected at runtime. The two IPs are the endpoints of the direct attacker; binary and accesses the Tor infrastructure, which may be connected or routed:
- C2 IP: 37.27.122[.]124
- C2 IP: 57.128.246[.]79
- Tor infrastructure: check.torproject[.]org, repository.torproject[.]org
Host artifacts: a randomly named hidden file in the system’s temporary directory, of the form . {random} or . {random}.exe on Windows, and a hidden Windows scheduled task or macOS LaunchAgent for persistence.




