Find notable cyber news and cases, enriched with sources, timelines, and signals.

Jscrambler 8.14.0 malicious preinstall infostealer release

Malware Activity
First reported
Last updated
Happening score
H score 9
1 unique sources, 1 articles

Summary

Hide ▲

The jscrambler 8.14.0 npm release now ships a malicious preinstall hook that runs a Rust infostealer during install, putting developer and CI secrets at risk on Windows, macOS, and Linux. The package executes without any import or CLI call, so a routine dependency install is enough to trigger theft. The payload targets cloud credentials, browser sessions, wallets, password-manager data, and AI-tool API keys. The release was later replaced by a clean 8.15.0, but any system that already installed 8.14.0 may have exposed secrets.

Related Happenings

Rollup polyfill npm package malware activity for remote access and data theft

Malware Activity
H score16 First: 03.07.2026 19:07 Last: 03.07.2026 19:07 Sources 1

About this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...

Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks

Malware Activity
H score30 First: 29.06.2026 08:36 Last: 29.06.2026 08:36 Sources 1

About this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...

Mastra @mastra/* npm packages hit by network compromise

Incident
H score47 First: 17.06.2026 10:38 Last: 17.06.2026 10:38 Sources 1

About this happening: **Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...

Latest development: 20.06.2026 17:09

Microsoft attributed the Mastra AI supply chain attack to Sapphire Sleet, also known as BlueNoroff, and said the attackers compromised the npm maintainer account ehindero, which had publishing privileges across the Mastra package environment. The June 19 update said more than 140 packages in the @mastra scope were modified to inject easy-day-js.

AUR package-hijacking campaign delivering atomic-lockfile

Campaign
H score11 First: 12.06.2026 20:03 Last: 12.06.2026 20:03 Sources 1

About this happening: **AUR package-hijacking campaign** is abusing **more than 400** compromised **Arch User Repository (AUR)** packages to deliver **atomic-lockfile**, turning the **AUR** build path...

Atomic-lockfile rootkit-infostealer distribution through AUR packages

Malware Activity
H score3 First: 12.06.2026 20:03 Last: 12.06.2026 20:03 Sources 1

About this happening: **AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...

Timeline

  1. 11.07.2026 20:59 2 articles · 3h ago

    jscrambler 8.14.0 ships a malicious preinstall hook

    Initial Disclosure

    Version 8.14.0 of the jscrambler npm package is published with a malicious preinstall hook that silently drops and runs a native infostealer during installation on Windows, macOS, and Linux, so a routine dependency install is enough to execute the payload.

    Show sources
  2. 11.07.2026 20:59 1 articles · 3h ago

    jscrambler 8.14.0 bundles hidden native payloads in dist/

    Technical Analysis Update

    The published package adds dist/setup.js and dist/intro.js; setup.js picks the host operating system, writes the matching binary to the system temp directory under a random name, marks it executable, and launches it detached with hidden output, while intro.js is a roughly 7.8MB container packing three gzip-compressed native binaries for Linux, Windows, and macOS. StepSecurity and SafeDep find no matching commit, tag, or pull request for 8.14.0 in the GitHub repository.

    Show sources
  3. 11.07.2026 20:59 1 articles · 3h ago

    jscrambler 8.14.0 targets cloud keys, wallets, and AI tool secrets

    Victim Impact Update

    The Rust infostealer is built to sweep a developer machine for secrets and ship them over TLS, pulling cloud credentials from AWS, Azure, and Google Cloud, browser passwords and cookies, wallet and seed-phrase data from MetaMask, Phantom, Exodus, and Bitwarden, and sessions from Discord, Slack, Telegram, and Steam. It also goes after config files for Claude Desktop, Cursor, Windsurf, VS Code, and Zed, where API keys and Model Context Protocol server credentials tend to live.

    Show sources
  4. 11.07.2026 20:59 1 articles · 3h ago

    Socket and StepSecurity expose jscrambler 8.14.0 command-and-control traffic

    Detection Ioc Update

    Socket flags the release six minutes after publication, and StepSecurity runtime monitoring catches the dropped binary reaching two hard-coded attacker IPs, 37.27.122[.]124 and 57.128.246[.]79, plus Tor infrastructure including check.torproject[.]org and archive.torproject[.]org. Those are the first network indicators published for the campaign.

    Show sources