387/69 Wednesday, July 15, 2026

Security researchers have disclosed a supply chain attack affecting the official jscrambler package on npm. Attackers published modified versions of the package containing a Rust-based infostealer, putting developer machines and CI/CD systems that installed the affected package at risk of sensitive data theft. Jscrambler stated that the issue affects package versions 8.14, 8.16, 8.17, and 8.20, and recommends updating to version 8.22 or later.
Reports indicate that the affected versions included malicious code designed to download and execute binaries for Windows, macOS, and Linux during the package installation process. This allowed the malware to run before the application itself started. The malware was designed to steal sensitive developer data, such as SSH keys, Git tokens, cloud provider credentials, cryptocurrency wallets, and data from web browsers. Researchers detected the suspicious activity within minutes after the malicious package was published.
Developers and system administrators should check whether their projects or CI/CD systems installed the affected versions of the jscrambler package. If found, they should remove the package and update to version 8.22 or later. They should also inspect systems where the package was installed for signs of compromise, rotate credentials and API keys that may have been exposed, clear caches, and update lockfiles to prevent the malicious versions from being installed again.
