Jscrambler, maker of a widely used JavaScript protection product, has confirmed that its NPM package was hijacked over the weekend in a supply chain attack involving compromised publishing credentials. The company’s Code Integrity product relies on the package to make web and mobile applications tamper-resistant, giving the compromise broad downstream reach.
According to Jscrambler, the attack began on July 11 when a threat actor used stolen NPM publishing credentials to push a modified version of the package containing a preinstall hook designed to drop malicious binaries during installation. While Jscrambler worked to respond, the attacker published several more tainted releases, versions 8.16, 8.17, 8.18, and 8.20. The first clean version restored after the incident is 8.22.
Because the library is a dependency for several other tools, the compromise also touched Jscrambler-webpack-plugin (8.6.2), gulp-Jscrambler (8.6.2), grunt-Jscrambler (8.5.2), and Jscrambler-metro-plugin (9.0.2). NPM download data cited by Jscrambler shows the malicious versions were pulled 1,479 times before being deprecated and replaced.
How the Malware Worked
Supply chain security firm Socket analyzed the malicious packages and found the preinstall hook added two new files under dist/, setup.js and intro.js, along with binaries targeting Linux, macOS, and Windows. Once installed, the hook triggered setup.js, which loaded and executed a platform-specific binary via intro.js.
The binaries, written in Rust, function as information stealers targeting developer and cloud-operator credentials and secrets, cryptocurrency wallets and seed phrases, AI coding assistant and MCP server configurations, messaging and collaboration apps, browsers, Steam sessions, and OS keyrings. Socket noted the malware also attempts privilege escalation, establishes persistence, and performs host reconnaissance. Stolen data was exfiltrated over TLS using the rustls library, likely to an attacker-controlled drop server, and the malware constructed requests to query cloud and orchestration APIs using the credentials it harvested.
Response and Recommendations
Jscrambler said it has revoked and rotated all relevant publishing credentials, passwords, and secrets, and has added security controls to its publishing process while the investigation continues.
Organizations that installed the affected package versions are advised to immediately remove them from all systems, scan for malware, and rotate all credentials, tokens, and API keys that may have been exposed to the compromised environment.
