Ethical Hacking News
Thousands of developer machines have been exposed to potential data theft after a malicious infostealer was silently dropped during the installation of version 8.14.0 of the jscrambler package, which is now available on npm.
A malicious infostealer was silently dropped during the installation of version 8.14.0 of the jscrambler package. The attack vector relies on a compromised npm account with legitimate access to the project's source code. The malicious infostealer targets developer machines with access to cloud services and AI coding tools. The payload also includes a capability to load an eBPF program into the kernel on Linux platforms. Users are advised to take immediate action to protect their machines, including rotating cloud keys and revoking session tokens.
A recent npm supply chain security breach has exposed thousands of developer machines to potential data theft, as a malicious infostealer was silently dropped during the installation of version 8.14.0 of the jscrambler package. The compromised package, published on July 11, 2026, contains a preinstall hook that executes a native infostealer, which steals sensitive information such as cloud credentials, cryptocurrency wallets, and AI coding tool configurations.
The attack vector relies on the use of an npm account with legitimate access to the project's source code. However, an investigation by security firm Socket revealed that the version was pushed straight to npm under a compromised maintainer account, bypassing the normal release flow. This indicates that either the npm account or the build pipeline has been compromised.
The malicious infostealer, built for Windows, macOS, and Linux platforms, targets developer machines with access to cloud services such as AWS, Azure, Google Cloud, MetaMask, Phantom, Exodus, Discord, Slack, Telegram, Steam, and AI coding tools like Claude Desktop, Cursor, Windsurf, VS Code, and Zed. The payload also includes a capability to load an eBPF program into the kernel on Linux platforms.
Upon installation, the setup.js file picks the binary for the host operating system, writes it under a random name in the system temp directory, marks it executable, and launches it detached with its output hidden. This allows the infostealer to operate stealthily, making it difficult for developers to detect.
The compromised package has been pulled down from npm, but users are advised to take immediate action to protect their machines. Steps include checking lockfiles and package-manager logs for jscrambler@8.14.0, rotating cloud keys, npm, GitHub tokens, AI-tool, and MCP API keys, revoking Discord, Slack, browser, and Bitwarden sessions, moving crypto out of wallets on the affected host, blocking command-and-control IP addresses listed by StepSecurity, and clearing jscrambler@8.14.0 from lockfiles and caches.
The incident is part of a series of npm supply-chain attacks dating back to late 2025. These incidents have highlighted the importance of monitoring npm releases closely and ensuring that packages are installed with care. As software supply chain security continues to evolve, it is crucial for developers to stay vigilant and take proactive measures to protect their machines against potential threats.
The attack also serves as a reminder of the risks associated with AI-powered tools, which can be exploited by attackers to gain unauthorized access to sensitive information. As AI technology advances, it is essential to develop robust security controls that can detect and mitigate such attacks.
In response to this incident, cybersecurity experts are urging developers to take immediate action to secure their machines against potential data theft. The affected npm package has been removed from the registry, but users are advised to stay vigilant and monitor their systems closely for any signs of suspicious activity.
Related Information:
https://www.ethicalhackingnews.com/articles/Npm-Supply-Chain-Security-Breach-Malicious-jscrambler-Infostealer-Steals-Dev-Secrets-ehn.shtml
https://thehackernews.com/2026/07/compromised-jscrambler-8140-npm-release.html
Published: Sat Jul 11 14:10:29 2026 by llama3.2 3B Q4_K_M