Close Menu
    What's Hot

    Surge pricing hurts gig workers and consumers. Here’s how to fix it

    White House Directed Patel to Oversee Investigation Involving Times Reporting

    Poll: Patriotism in the US, Europe and Canada, charted

    Facebook X (Twitter) Instagram
    Trending
    • Surge pricing hurts gig workers and consumers. Here’s how to fix it
    • White House Directed Patel to Oversee Investigation Involving Times Reporting
    • Poll: Patriotism in the US, Europe and Canada, charted
    • We Make Lovely Home-Cooked Meals for Ourselves. Why Not Do the Same for Our Dogs?
    • Former England captain Heather Knight announces retirement from international cricket | Cricket News
    • Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install
    • The secret to becoming a sporting superpower
    • How Will Maine Democrats Replace Graham Platner? Here’s What to Know.
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install

    adminBy adminJuly 11, 2026No Comments6 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install

    The jscrambler npm package was compromised, and simply installing its 8.14.0 release runs an infostealer on your machine. Published on July 11, 2026, the malicious version carries a preinstall hook that drops and executes a native binary, one build each for Windows, macOS, and Linux.

    Socket flagged the release six minutes after it was published. If you or one of your build systems pulled it in that window, the payload has already run with whatever access your install process had.

    None of this is in the prior release, 8.13.0. The package diff shows two new files under dist/: setup.js, a small loader, and intro.js. Despite the name, intro.js is not JavaScript but a roughly 7.8MB container packing three gzip-compressed native binaries, one each for Linux, Windows, and macOS.

    On install, setup.js picks the binary for the host operating system, writes it under a random name in the system temp directory, marks it executable, and launches it detached with its output hidden.

    The added files are in the published package, but nowhere in jscrambler’s public source. StepSecurity and SafeDep both pulled and analyzed the release, and both report no matching commit, tag, or pull request for 8.14.0 in the GitHub repository.

    Its latest tag is still 8.13.0. The version was pushed straight to npm under a legitimate maintainer account, bypassing the project’s normal release flow. That points to a compromised npm account or build pipeline. Which of the two has not been established.

    The payload is a Rust infostealer, built for all three platforms, that sweeps a developer machine for secrets and ships them to a drop server over TLS, according to Socket’s updated analysis and a statement to The Hacker News.

    Cybersecurity

    The target list is broad and aimed at developers: cloud credentials from AWS, Azure, and Google Cloud, including the metadata endpoints CI runners use; cryptocurrency wallets and seed phrases from MetaMask, Phantom, and Exodus; the Bitwarden password manager vault; browser-stored passwords and cookies; and Discord, Slack, Telegram, and Steam sessions.

    It also goes after something newer: the config files for AI coding tools, including Claude Desktop, Cursor, Windsurf, VS Code, and Zed, where API keys and Model Context Protocol server credentials tend to sit.

    The binaries do more than steal. On Linux, the payload links the kernel’s BPF library and can load an eBPF program straight into the kernel from memory. That is a foothold in the kernel, not the userspace file access that the rest of the stealer relies on. StepSecurity and SafeDep both flagged the capability, though what the eBPF does is still being pulled apart.

    The Windows and macOS builds add anti-debugging checks, and the stealer wires in persistence to survive a reboot: a hidden Windows scheduled task set to relaunch every minute, and a macOS LaunchAgent that reloads on login. Its command-and-control details stay encrypted in the binary and never surfaced in static analysis.

    StepSecurity’s runtime monitoring caught the dropped binary reaching out to two hard-coded IP addresses and to Tor infrastructure, the first network indicators published for the campaign.

    jscrambler is a build-time tool, installed as a development dependency or run from CI. Those environments hold what the stealer collects: cloud keys, deploy tokens, and source code that a build or CI process can reach.

    Source: Step Security

    The package sees about 15,800 downloads a week, and how many pulled the compromised version is not yet known. That is a far smaller footprint than the packages hit in the big npm compromises of the past year, which pull billions of downloads a week between them.

    For a stealer aimed at build machines, though, reach was never the point. The access is.

    The Shai-Hulud worm ran from an install hook to steal tokens and spread through hundreds of packages that September. The widely used chalk and debug packages were taken over through a phished maintainer account and used to reroute crypto payments.

    In March, a hijacked account pushed a cross-platform trojan into Axios, an HTTP library with more than 83 million weekly downloads. What makes the timing here sharp is that npm had just moved against this exact route: npm 12 shipped on July 8, three days before this release, with dependency install scripts off by default.

    On npm 12, a preinstall hook like this one does not run unless someone approves it. Older clients still run them automatically.

    Version 8.15.0 has since replaced it at the top of npm’s version list, published from the same maintainer account and showing none of the malware alerts 8.14.0 tripped: no install script, no bundled binary. But 8.14.0 was not pulled.

    Cybersecurity

    It is still on npm, so any lockfile or command pinned to it keeps installing the stealer. Only the main CLI package was hit; the jscrambler plugins for webpack, gulp, Metro, and grunt stayed on their clean June releases, with no install hooks.

    What to do now

    1. Get off 8.14.0. Move to 8.15.0, or pin to 8.13.0 for a release from before the incident, and clear jscrambler@8.14.0 from lockfiles and caches.
    2. Work out whether you installed 8.14.0. Check lockfiles and package-manager logs for jscrambler@8.14.0, and CI records for any run of dist/setup.js, from July 11 on. The loader drops its payload under a random name in the temp directory, so there is no fixed binary name to grep for; line up install timestamps against Node child processes and temp-directory execution instead. On Windows, check Task Scheduler for hidden tasks; on macOS, inspect ~/Library/LaunchAgents for unfamiliar plists.
    3. If 8.14.0 ran on a machine, treat every secret it could reach as stolen, not just exposed. Rotate cloud keys, npm and GitHub tokens, and AI-tool and MCP API keys; revoke Discord, Slack, browser, and Bitwarden sessions; and move any crypto out of wallets on that host. Block the two command-and-control IPs listed below.

    The cleanup was fast, but a stealer does its work in the seconds after install. A build pinned to 8.14.0, on an older client that runs install scripts, still runs the payload. And on any machine that already ran it, the secrets were gone before 8.15.0 ever reached the top of the list.

    Indicators of compromise

    Malicious package: jscrambler@8.14.0. SHA-256 hashes for the added files and their decompressed payloads:

    • dist/setup.js: a742de963f14a92d24ebcbc7b44ac867e23a20d31d1b0094a13a4f83287f4e60
    • dist/intro.js: a41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86
    • Linux payload: fbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bd
    • Windows payload: b7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903
    • macOS payload: c8fd47d36bdf7c825378593ab82ed8c24d1dc52e26b507812393e24e1d5201fd

    Network endpoints StepSecurity observed at runtime. The two IPs are the direct attacker endpoints; the binary also reaches Tor infrastructure, likely for connectivity or routing:

    • C2 IP: 37.27.122[.]124
    • C2 IP: 57.128.246[.]79
    • Tor infrastructure: check.torproject[.]org, archive.torproject[.]org

    On-host artifacts: a randomly named hidden file in the system temp directory, of the form .{random} or .{random}.exe on Windows, plus a hidden Windows scheduled task or a macOS LaunchAgent for persistence.

    8.14.0 Compromised drops Infostealer Install jscrambler npm release rust
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleThe secret to becoming a sporting superpower
    Next Article Former England captain Heather Knight announces retirement from international cricket | Cricket News
    admin
    • Website

    Related Posts

    Ransomware Negotiator Gets 70 Months in Prison for Aiding BlackCat Attacks

    July 11, 2026

    Hackers Use Fake Microsoft Entra Passkey Enrollment to Gain Microsoft 365 Access

    July 11, 2026

    Critical Zimbra Flaw Could Let Crafted Emails Run Malicious Code in User Sessions

    July 11, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Surge pricing hurts gig workers and consumers. Here’s how to fix it

    White House Directed Patel to Oversee Investigation Involving Times Reporting

    Poll: Patriotism in the US, Europe and Canada, charted

    We Make Lovely Home-Cooked Meals for Ourselves. Why Not Do the Same for Our Dogs?

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by