Version 8.14.0 of the jscrambler npm package was found to contain a malicious preinstall hook that silently installs and runs a native infostealer across Windows, macOS, and Linux systems during the installation process. This malicious version was published on July 11, 2026, and requires no explicit import or command-line execution to activate, making any installation of it sufficient to trigger the payload, according to a recent report by The Hacker News.The jscrambler supply chain attack involved a malicious preinstall hook within version 8.14.0 of the npm package. This hook, hidden within the "intro.js" file, contained native binaries for Windows, macOS, and Linux. Upon installation, a loader script ("setup.js") would extract the appropriate binary, mark it as executable in the system's temporary directory, and run it discreetly. The infostealer targets developers by collecting cloud credentials (AWS, Azure, Google Cloud), cryptocurrency wallet information, browser data, and configuration files for AI coding tools. It also includes advanced capabilities like eBPF program loading on Linux and persistence mechanisms on Windows and macOS.Command-and-control communication was observed reaching out to hard-coded IP addresses and Tor infrastructure. This incident highlights a recurring pattern of npm supply-chain attacks, emphasizing the risks associated with compromised accounts or build pipelines, especially as it bypassed recent npm security enhancements designed to mitigate such threats.Source: The Hacker News
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds




