jscrambler npm package publishes malicious preinstall binary
Version 8.14.0 of the jscrambler npm package, the official CLI client for Jscrambler Code Integrity API, was published on July 11, 2026 with a malicious preinstall hook that drops and executes platform-specific native binaries on Linux, Windows, and macOS. The compromise was detected by StepSecurity's AI Release Analyzer immediately upon publication.
- Disclosed
- Last updated
- Blast radius
- Potentially all users who installed jscrambler version 8.14.0 from npm during the window of availability.
- Ecosystems
- Attack vectors
- Affected entities
- jscrambler · 8.14.0
On July 11, 2026, version 8.14.0 of the jscrambler npm package was published containing a malicious preinstall hook. The jscrambler package is the official command-line interface client for the Jscrambler Code Integrity API, a commercial JavaScript obfuscation and web-application protection service.
The compromised release included code that drops and executes platform-specific native binaries on Linux, Windows, and macOS systems during the package installation process. This represents a direct compromise of the package distribution, allowing arbitrary code execution on any system that installed the affected version.
The package had a clean version history dating back to version 0.1.0 prior to this incident. StepSecurity's AI Release Analyzer flagged the malicious release with a maximum suspicion score of 0 upon publication, enabling rapid detection of the compromise.
Indicators of compromise
- Packages
- jscrambler@8.14.0
Remediation
- Immediately uninstall jscrambler version 8.14.0 from all systems
- Audit systems that installed version 8.14.0 for signs of compromise or unauthorized binary execution
- Review npm package installation logs to identify affected deployments
- Update to a patched version of jscrambler once released by the maintainers
- Consider implementing package verification and scanning tools like StepSecurity's AI Release Analyzer in your supply chain
- Review and revoke any credentials or access tokens that may have been exposed on compromised systems
Sources
- jscrambler npm package publishes malicious preinstall binary · StepSecurity
Cite this entry
"jscrambler npm package publishes malicious preinstall binary." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 11, 2026; last updated July 11, 2026. https://supplychainattack.org/incident/jscrambler-npm-package-publishes-malicious-preinstall-binary-eirb3g
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- activecritical
Malware in authvaultx
Malware discovered in the npm package authvaultx. Systems with this package installed or running are considered fully compromised and require immediate remediation.
npmCompromised package - containedcritical
Malware in auth-next-gen
Malware was discovered in the npm package auth-next-gen. Systems with this package installed or running should be considered fully compromised, with all secrets and keys requiring immediate rotation from a different computer.
npmCompromised package - resolvedcritical
Malware in crypto-promiser
The npm package crypto-promiser contained malware that provided full system compromise to attackers. Any computer with this package installed should be considered fully compromised and all secrets and keys rotated from a different system.
npmCompromised package - containedcritical
Malware in @luminarycloudinternal/lcvis-st
Malware was discovered in the npm package @luminarycloudinternal/lcvis-st. Any computer with this package installed or running should be considered fully compromised. All secrets and keys must be rotated immediately from a different computer.
npmCompromised package