Client-side web security vendor Jscrambler has disclosed that attackers published a malicious version of its npm package, exposing developers who installed it to an information-stealing payload that ran automatically during installation.

The tampered package covered releases 8.14, 8.16, 8.17, and 8.20 of the jscrambler npm module, which is used with the company’s Code Integrity product. According to Jscrambler, the malware executed via the package’s ‘preinstall’ hook, meaning it ran as soon as the package was installed, before any manual steps by the developer.

Jscrambler said the incident was contained to that single package and did not affect other products, including Webpage Integrity. The company detected and remediated the issue quickly, deprecating the malicious release and shipping a clean version, 8.22, within roughly two hours. Four other Jscrambler packages that depended on the compromised module were also deprecated and replaced.

Despite the fast response, npm download statistics show the malicious package was pulled 1,479 times during the exposure window. The jscrambler package normally sees about 17,000 weekly downloads and is used by app developers to upload JavaScript to Jscrambler’s service for tamper protection.

Application security firm Socket identified the compromise and analyzed the payload, finding that it targeted a broad range of sensitive data, including:

  • Source code and project files
  • Developer credentials and secrets (Git, SSH, environment variables, CI/CD tokens)
  • Cloud credentials and secret managers (AWS, Azure, GCP, Kubernetes)
  • AI coding tool and MCP configurations (Claude, Cursor, Windsurf, VS Code, Zed)
  • Cryptocurrency wallets and seed phrases (MetaMask, Phantom, Coinbase, Exodus, Trust Wallet)
  • Browser cookies and saved credentials
  • Messaging and collaboration app data (Slack, Discord, Telegram)

Socket noted that the malware used strong per-string obfuscation based on the ChaCha20-Poly1305 encryption algorithm, complicating reverse-engineering efforts.

Jscrambler attributed the breach to compromised npm publishing credentials, which have since been revoked, and said it has added new security controls to its publishing pipeline to prevent a repeat incident.

Developers who installed any of the affected package versions during the exposure window should treat their environments as compromised. Jscrambler recommends rotating all secrets, including Git, SSH, cloud, and CI/CD credentials, restoring from clean backups, and upgrading to the latest package version.

The attack fits a broader pattern of npm supply-chain compromises targeting developer credentials and cryptocurrency wallets seen throughout 2026, including prior campaigns involving Shai-Hulud malware and other infected packages.