A malicious version of the jscrambler npm package was published on July 11, 2026, embedding a Rust-based infostealer payload that executes during installation. Version 8.14.0 of the JavaScript obfuscation tool contained a preinstall hook that dropped and ran a native binary targeting Windows, macOS, and Linux systems.
Security firm Socket detected the compromise within six minutes of publication. The malicious release introduced two new files: setup.js, a lightweight loader, and intro.js, a roughly 7.8 MB container with gzip-compressed native binaries. The infostealer harvested credentials, browser data, cryptocurrency wallet files, and session tokens from the infected machine.
Organizations that pulled version 8.14.0 into their build pipelines during the brief exposure window should treat those systems as compromised. Rolling back to 8.13.0 removes the malicious code but does not undo data exfiltration. Teams should audit build logs for this version, rotate credentials on affected systems, and review npm package integrity verification practices.

