Jscrambler 8.14.0 malicious preinstall infostealer release
Malware Activity
Summary
Hide ▲
Show ▼
The jscrambler 8.14.0 npm release now ships a malicious preinstall hook that runs a Rust infostealer during install, putting developer and CI secrets at risk on Windows, macOS, and Linux. The package executes without any import or CLI call, so a routine dependency install is enough to trigger theft. The payload targets cloud credentials, browser sessions, wallets, password-manager data, and AI-tool API keys. The release was later replaced by a clean 8.15.0, but any system that already installed 8.14.0 may have exposed secrets.
Related Happenings
Rollup polyfill npm package malware activity for remote access and data theft
Malware Activity
H score16
First: 03.07.2026 19:07
Last: 03.07.2026 19:07
Sources 1
About this happening:
**Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
Rollup polyfill npm package malware activity for remote access and data theft
Malware ActivityAbout this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks
Malware Activity
H score30
First: 29.06.2026 08:36
Last: 29.06.2026 08:36
Sources 1
About this happening:
Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...
Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks
Malware ActivityAbout this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...
Mastra @mastra/* npm packages hit by network compromise
Incident
H score47
First: 17.06.2026 10:38
Last: 17.06.2026 10:38
Sources 1
About this happening:
**Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...
Mastra @mastra/* npm packages hit by network compromise
IncidentAbout this happening: **Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...
Latest development: 20.06.2026 17:09
Microsoft attributed the Mastra AI supply chain attack to Sapphire Sleet, also known as BlueNoroff, and said the attackers compromised the npm maintainer account ehindero, which had publishing privileges across the Mastra package environment. The June 19 update said more than 140 packages in the @mastra scope were modified to inject easy-day-js.
AUR package-hijacking campaign delivering atomic-lockfile
Campaign
H score11
First: 12.06.2026 20:03
Last: 12.06.2026 20:03
Sources 1
About this happening:
**AUR package-hijacking campaign** is abusing **more than 400** compromised **Arch User Repository (AUR)** packages to deliver **atomic-lockfile**, turning the **AUR** build path...
AUR package-hijacking campaign delivering atomic-lockfile
CampaignAbout this happening: **AUR package-hijacking campaign** is abusing **more than 400** compromised **Arch User Repository (AUR)** packages to deliver **atomic-lockfile**, turning the **AUR** build path...
Atomic-lockfile rootkit-infostealer distribution through AUR packages
Malware Activity
H score3
First: 12.06.2026 20:03
Last: 12.06.2026 20:03
Sources 1
About this happening:
**AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...
Atomic-lockfile rootkit-infostealer distribution through AUR packages
Malware ActivityAbout this happening: **AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...
Timeline
-
11.07.2026 20:59 2 articles · 3h ago
jscrambler 8.14.0 ships a malicious preinstall hook
Initial DisclosureVersion 8.14.0 of the jscrambler npm package is published with a malicious preinstall hook that silently drops and runs a native infostealer during installation on Windows, macOS, and Linux, so a routine dependency install is enough to execute the payload.
Show sources
- Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install — thehackernews.com — 11.07.2026 20:59
- Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install — thehackernews.com — 11.07.2026 20:59
-
11.07.2026 20:59 1 articles · 3h ago
jscrambler 8.14.0 bundles hidden native payloads in dist/
Technical Analysis UpdateThe published package adds dist/setup.js and dist/intro.js; setup.js picks the host operating system, writes the matching binary to the system temp directory under a random name, marks it executable, and launches it detached with hidden output, while intro.js is a roughly 7.8MB container packing three gzip-compressed native binaries for Linux, Windows, and macOS. StepSecurity and SafeDep find no matching commit, tag, or pull request for 8.14.0 in the GitHub repository.
Show sources
- Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install — thehackernews.com — 11.07.2026 20:59
-
11.07.2026 20:59 1 articles · 3h ago
jscrambler 8.14.0 targets cloud keys, wallets, and AI tool secrets
Victim Impact UpdateThe Rust infostealer is built to sweep a developer machine for secrets and ship them over TLS, pulling cloud credentials from AWS, Azure, and Google Cloud, browser passwords and cookies, wallet and seed-phrase data from MetaMask, Phantom, Exodus, and Bitwarden, and sessions from Discord, Slack, Telegram, and Steam. It also goes after config files for Claude Desktop, Cursor, Windsurf, VS Code, and Zed, where API keys and Model Context Protocol server credentials tend to live.
Show sources
- Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install — thehackernews.com — 11.07.2026 20:59
-
11.07.2026 20:59 1 articles · 3h ago
Socket and StepSecurity expose jscrambler 8.14.0 command-and-control traffic
Detection Ioc UpdateSocket flags the release six minutes after publication, and StepSecurity runtime monitoring catches the dropped binary reaching two hard-coded attacker IPs, 37.27.122[.]124 and 57.128.246[.]79, plus Tor infrastructure including check.torproject[.]org and archive.torproject[.]org. Those are the first network indicators published for the campaign.
Show sources
- Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install — thehackernews.com — 11.07.2026 20:59