{"id":16632,"date":"2026-07-12T05:35:01","date_gmt":"2026-07-12T05:35:01","guid":{"rendered":"https:\/\/techtrendfeed.com\/?p=16632"},"modified":"2026-07-12T05:35:01","modified_gmt":"2026-07-12T05:35:01","slug":"compromised-jscrambler-8-14-0-npm-launch-drops-rust-infostealer-throughout-set-up","status":"publish","type":"post","link":"https:\/\/techtrendfeed.com\/?p=16632","title":{"rendered":"Compromised jscrambler 8.14.0 npm Launch Drops Rust Infostealer Throughout Set up"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhodiWPXDsex6YL7v4e2n_D5MJFMht76GRRmHTdiG61tfEmsoZyow4tkiS3ORACILDl2fNP27YQkw1XLSBKGcom-DhCVzzPDdkdSgeMGdxcVL_rgO70x5LqZcjxKAPTtFOquB8LwSBPWrSpflqCzns-cFZ_EVm0WZfV7wSoPM3S-7_IGtCT3AjxY0rfITU\/s1600\/npm-js.jpg\" style=\"clear: left; display: block; float: left; padding: 1em 0px; text-align: center;\"><img decoding=\"async\" alt=\"\" border=\"0\" data-original-height=\"470\" data-original-width=\"900\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhodiWPXDsex6YL7v4e2n_D5MJFMht76GRRmHTdiG61tfEmsoZyow4tkiS3ORACILDl2fNP27YQkw1XLSBKGcom-DhCVzzPDdkdSgeMGdxcVL_rgO70x5LqZcjxKAPTtFOquB8LwSBPWrSpflqCzns-cFZ_EVm0WZfV7wSoPM3S-7_IGtCT3AjxY0rfITU\/s1600\/npm-js.jpg\"\/><\/a><\/div>\n<p>The jscrambler npm package deal was compromised, and easily putting in its\u00a08.14.0\u00a0launch runs an infostealer in your machine. Printed on July 11, 2026, the malicious model carries a\u00a0preinstall\u00a0hook that drops and executes a local binary, one construct every for Home windows, macOS, and Linux.<\/p>\n<p>Socket flagged the discharge\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/socket.dev\/blog\/jscrambler-supply-chain-attack\" target=\"_blank\">six minutes after it was revealed<\/a>. When you or considered one of your construct programs pulled it in that window, the payload has already run with no matter entry your set up course of\u00a0had.<\/p>\n<p>None of that is within the prior launch,\u00a08.13.0.\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/socket.dev\/npm\/package\/jscrambler\/diff\/8.14.0\" target=\"_blank\">The package deal diff<\/a>\u00a0exhibits two new recordsdata below\u00a0dist\/:\u00a0setup.js, a small loader, and\u00a0intro.js. Regardless of the identify,\u00a0intro.js\u00a0isn&#8217;t JavaScript however a roughly 7.8MB container packing three gzip-compressed native binaries, one every for Linux, Home windows, and macOS.<\/p>\n<p>On set up,\u00a0setup.js\u00a0picks the binary for the host working system, writes it below a random identify within the system temp listing, marks it executable, and launches it indifferent with its output hidden.<\/p>\n<p>The added recordsdata are within the revealed package deal, however nowhere in jscrambler&#8217;s public supply. <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.stepsecurity.io\/blog\/jscrambler-npm-package-publishes-malicious-preinstall-binary\" target=\"_blank\">StepSecurity<\/a> and <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/safedep.io\/jscrambler-npm-supply-chain-compromise\/\" target=\"_blank\">SafeDep<\/a> each pulled and analyzed the discharge, and each report no matching commit, tag, or pull request for 8.14.0 within the GitHub repository.<\/p>\n<p>Its newest tag remains to be 8.13.0. The model was pushed straight to npm below a reliable maintainer account, bypassing the challenge&#8217;s regular launch circulate. That factors to a compromised npm account or construct pipeline. Which of the 2 has not been established.<\/p>\n<p>The payload is a Rust infostealer, constructed for all three platforms, that sweeps a developer machine for secrets and techniques and ships them to a drop server over TLS, in response to Socket&#8217;s\u00a0up to date evaluation\u00a0and an announcement to The Hacker Information.<\/p>\n<p><\/p>\n<p>The goal checklist is broad and geared toward builders: cloud credentials from AWS, Azure, and Google Cloud, together with the metadata endpoints CI runners use; cryptocurrency wallets and seed phrases from MetaMask, Phantom, and Exodus; the Bitwarden password supervisor vault; browser-stored passwords and cookies; and Discord, Slack, Telegram, and Steam classes.<\/p>\n<p><a rel=\"nofollow\" target=\"_blank\" name=\"more\"\/><\/p>\n<p>It additionally goes after one thing newer: the config recordsdata for AI coding instruments, together with Claude Desktop, Cursor, Windsurf, VS Code, and Zed, the place API keys and Mannequin Context Protocol server credentials are inclined to\u00a0sit.<\/p>\n<p>The binaries do greater than steal. On Linux, the payload hyperlinks the kernel&#8217;s BPF library and might load an eBPF program straight into the kernel from reminiscence. That may be a foothold within the kernel, not the userspace file entry that the remainder of the stealer depends on. StepSecurity and SafeDep each flagged the aptitude, although what the eBPF does remains to be being pulled aside.<\/p>\n<p>The Home windows and macOS builds add anti-debugging checks, and the stealer wires in persistence to outlive a reboot: a hidden Home windows scheduled process set to relaunch each minute, and a macOS LaunchAgent that reloads on login. Its command-and-control particulars keep encrypted within the binary and by no means surfaced in static evaluation.<\/p>\n<p>StepSecurity&#8217;s runtime monitoring caught the dropped binary reaching out to 2 hard-coded IP addresses and to Tor infrastructure, the primary community indicators revealed for the marketing campaign.<\/p>\n<p>jscrambler is a build-time software, put in as a improvement dependency or run from CI. These environments maintain what the stealer collects: cloud keys, deploy tokens, and supply code {that a} construct or CI course of can attain.<\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi31tvSsQoYD4uTw5y2PID3PwQgCXwPYz8oOnO1Y7L0KFfaSLiWm60x7RHZGMUzVWvcYJyBtzW0GtKmx4cTCluKWu-LrkxSuD4VSCI_tEfW971OnP41ygsaVhKKrJZSDAJh1oaOJiWfId-NO2EG7uFr5o0W-FZGZzjluGWPZmYzlFJ4PJVm6WLL1f0Xly4\/s1600\/tor.png\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto; padding: 1em 0px; text-align: center;\"><img decoding=\"async\" alt=\"\" border=\"0\" data-original-height=\"1868\" data-original-width=\"3202\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi31tvSsQoYD4uTw5y2PID3PwQgCXwPYz8oOnO1Y7L0KFfaSLiWm60x7RHZGMUzVWvcYJyBtzW0GtKmx4cTCluKWu-LrkxSuD4VSCI_tEfW971OnP41ygsaVhKKrJZSDAJh1oaOJiWfId-NO2EG7uFr5o0W-FZGZzjluGWPZmYzlFJ4PJVm6WLL1f0Xly4\/s1600\/tor.png\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Supply: Step Safety<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The package deal sees about 15,800 downloads every week, and what number of pulled the compromised model isn&#8217;t but identified. That may be a far smaller footprint than the packages hit within the huge npm compromises of the previous yr, which pull billions of downloads every week between them.<\/p>\n<p>For a stealer geared toward construct machines, although, attain was by no means the purpose. The entry\u00a0is.<\/p>\n<p>The\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/thehackernews.com\/2025\/09\/40-npm-packages-compromised-in-supply.html\" target=\"_blank\">Shai-Hulud worm<\/a>\u00a0ran from an set up hook to steal tokens and\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/unit42.paloaltonetworks.com\/monitoring-npm-supply-chain-attacks\/\" target=\"_blank\">unfold by way of a whole lot of packages<\/a>\u00a0that September. The extensively used\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/thehackernews.com\/2025\/09\/20-popular-npm-packages-with-2-billion.html\" target=\"_blank\">chalk\u00a0and\u00a0debug<\/a>\u00a0packages have been\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.paloaltonetworks.com\/blog\/cloud-security\/npm-supply-chain-attack\/\" target=\"_blank\">taken over by way of a phished maintainer account<\/a>\u00a0and used to reroute crypto funds.<\/p>\n<p>In March, a hijacked account pushed a cross-platform trojan into\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/thehackernews.com\/2026\/03\/axios-supply-chain-attack-pushes-cross.html\" target=\"_blank\">Axios<\/a>, an HTTP library with greater than 83 million weekly downloads. What makes the timing right here sharp is that npm had simply moved towards this actual route:\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/github.blog\/changelog\/2026-07-08-npm-install-time-security-and-gat-bypass2fa-deprecation\/\" target=\"_blank\">npm 12<\/a>\u00a0shipped on July 8, three days earlier than this launch, with\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/thehackernews.com\/2026\/07\/npm-12-disables-install-scripts-by.html\" target=\"_blank\">dependency set up scripts off by default<\/a>.<\/p>\n<p>On npm 12, a\u00a0preinstall\u00a0hook like this one doesn&#8217;t run except somebody approves it. Older shoppers nonetheless run them robotically.<\/p>\n<p>Model\u00a08.15.0\u00a0has since changed it on the prime of\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/socket.dev\/npm\/package\/jscrambler\" target=\"_blank\">npm&#8217;s model checklist<\/a>, revealed from the identical maintainer account and exhibiting not one of the malware alerts 8.14.0 tripped: no set up script, no bundled binary. However 8.14.0 was not pulled.<\/p>\n<p><\/p>\n<p>It&#8217;s nonetheless on npm, so any lockfile or command pinned to it retains putting in the stealer. Solely the primary CLI package deal was hit; the jscrambler plugins for webpack, gulp, Metro, and grunt stayed on their clear June releases, with no set up hooks.<\/p>\n<h2>What to do\u00a0now<\/h2>\n<ol>\n<li>Get off 8.14.0. Transfer to\u00a08.15.0, or pin to\u00a08.13.0\u00a0for a launch from earlier than the incident, and clear\u00a0jscrambler@8.14.0\u00a0from lockfiles and caches.<\/li>\n<li>Work out whether or not you put in 8.14.0. Examine lockfiles and package-manager logs for\u00a0jscrambler@8.14.0, and CI information for any run of\u00a0dist\/setup.js, from July 11 on. The loader drops its payload below a random identify within the temp listing, so there isn&#8217;t a mounted binary identify to grep for; line up set up timestamps towards Node baby processes and temp-directory execution as a substitute. On Home windows, test Activity Scheduler for hidden duties; on macOS, examine\u00a0~\/Library\/LaunchAgents\u00a0for unfamiliar plists.<\/li>\n<li>If 8.14.0 ran on a machine, deal with each secret it may attain as stolen, not simply uncovered. Rotate cloud keys, npm and GitHub tokens, and AI-tool and MCP API keys; revoke Discord, Slack, browser, and Bitwarden classes; and transfer any crypto out of wallets on that host. Block the 2 command-and-control IPs listed beneath.<\/li>\n<\/ol>\n<p>The cleanup was quick, however a stealer does its work within the seconds after set up. A construct pinned to eight.14.0, on an older shopper that runs set up scripts, nonetheless runs the payload. And on any machine that already ran it, the secrets and techniques have been gone earlier than 8.15.0 ever reached the highest of the checklist.<\/p>\n<h2>Indicators of compromise<\/h2>\n<p>Malicious package deal:\u00a0jscrambler@8.14.0. SHA-256 hashes for the added recordsdata and their decompressed payloads:<\/p>\n<ul>\n<li>dist\/setup.js:\u00a0a742de963f14a92d24ebcbc7b44ac867e23a20d31d1b0094a13a4f83287f4e60<\/li>\n<li>dist\/intro.js:\u00a0a41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86<\/li>\n<li>Linux payload:\u00a0fbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bd<\/li>\n<li>Home windows payload:\u00a0b7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903<\/li>\n<li>macOS payload:\u00a0c8fd47d36bdf7c825378593ab82ed8c24d1dc52e26b507812393e24e1d5201fd<\/li>\n<\/ul>\n<p>Community endpoints StepSecurity noticed at runtime. The 2 IPs are the direct attacker endpoints; the binary additionally reaches Tor infrastructure, possible for connectivity or routing:<\/p>\n<ul>\n<li>C2 IP:\u00a037.27.122[.]124<\/li>\n<li>C2 IP:\u00a057.128.246[.]79<\/li>\n<li>Tor infrastructure:\u00a0test.torproject[.]org,\u00a0archive.torproject[.]org<\/li>\n<\/ul>\n<p>On-host artifacts: a randomly named hidden file within the system temp listing, of the shape\u00a0.{random}\u00a0or\u00a0.{random}.exe\u00a0on Home windows, plus a hidden Home windows scheduled process or a macOS LaunchAgent for persistence.<\/p>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"<p>The jscrambler npm package deal was compromised, and easily putting in its\u00a08.14.0\u00a0launch runs an infostealer in your machine. Printed on July 11, 2026, the malicious model carries a\u00a0preinstall\u00a0hook that drops and executes a local binary, one construct every for Home windows, macOS, and Linux. Socket flagged the discharge\u00a0six minutes after it was revealed. When you [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":16634,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58],"tags":[9739,3425,3068,3108,1804,9738,1116,922,7011],"class_list":["post-16632","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-8-14-0","tag-compromised","tag-drops","tag-infostealer","tag-install","tag-jscrambler","tag-npm","tag-release","tag-rust"],"_links":{"self":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/16632","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16632"}],"version-history":[{"count":1,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/16632\/revisions"}],"predecessor-version":[{"id":16633,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/16632\/revisions\/16633"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/media\/16634"}],"wp:attachment":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16632"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16632"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16632"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<!-- This website is optimized by Airlift. Learn more: https://airlift.net. Template:. Learn more: https://airlift.net. Template: 69d9690a190636c2e0989534. Config Timestamp: 2026-04-10 21:18:02 UTC, Cached Timestamp: 2026-07-12 08:17:38 UTC -->