Skip to content
supplychainattack.orgSupply chain attack incident catalog
containedcritical

jscrambler npm package publishes malicious preinstall binary

Version 8.14.0 of the jscrambler npm package, the official CLI client for Jscrambler Code Integrity API, was published on July 11, 2026 with a malicious preinstall hook that drops and executes platform-specific native binaries on Linux, Windows, and macOS. The compromise was detected by StepSecurity's AI Release Analyzer immediately upon publication.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
Potentially all users who installed jscrambler version 8.14.0 from npm during the window of availability.
Ecosystems
Attack vectors
Affected entities
  • jscrambler · 8.14.0

On July 11, 2026, version 8.14.0 of the jscrambler npm package was published containing a malicious preinstall hook. The jscrambler package is the official command-line interface client for the Jscrambler Code Integrity API, a commercial JavaScript obfuscation and web-application protection service.

The compromised release included code that drops and executes platform-specific native binaries on Linux, Windows, and macOS systems during the package installation process. This represents a direct compromise of the package distribution, allowing arbitrary code execution on any system that installed the affected version.

The package had a clean version history dating back to version 0.1.0 prior to this incident. StepSecurity's AI Release Analyzer flagged the malicious release with a maximum suspicion score of 0 upon publication, enabling rapid detection of the compromise.

Indicators of compromise

Packages
  • jscrambler@8.14.0

Remediation

  • Immediately uninstall jscrambler version 8.14.0 from all systems
  • Audit systems that installed version 8.14.0 for signs of compromise or unauthorized binary execution
  • Review npm package installation logs to identify affected deployments
  • Update to a patched version of jscrambler once released by the maintainers
  • Consider implementing package verification and scanning tools like StepSecurity's AI Release Analyzer in your supply chain
  • Review and revoke any credentials or access tokens that may have been exposed on compromised systems

Sources

  1. jscrambler npm package publishes malicious preinstall binary · StepSecurity

Cite this entry

"jscrambler npm package publishes malicious preinstall binary." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 11, 2026; last updated July 11, 2026. https://supplychainattack.org/incident/jscrambler-npm-package-publishes-malicious-preinstall-binary-eirb3g

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

  1. activecritical

    Malware in authvaultx

    Malware discovered in the npm package authvaultx. Systems with this package installed or running are considered fully compromised and require immediate remediation.

    npmCompromised package
  2. containedcritical

    Malware in auth-next-gen

    Malware was discovered in the npm package auth-next-gen. Systems with this package installed or running should be considered fully compromised, with all secrets and keys requiring immediate rotation from a different computer.

    npmCompromised package
  3. resolvedcritical

    Malware in crypto-promiser

    The npm package crypto-promiser contained malware that provided full system compromise to attackers. Any computer with this package installed should be considered fully compromised and all secrets and keys rotated from a different system.

    npmCompromised package
  4. containedcritical

    Malware in @luminarycloudinternal/lcvis-st

    Malware was discovered in the npm package @luminarycloudinternal/lcvis-st. Any computer with this package installed or running should be considered fully compromised. All secrets and keys must be rotated immediately from a different computer.

    npmCompromised package