ctipilot.ch

jscrambler npm supply-chain compromise (2026-07)

incident · incident:jscrambler-npm-supply-chain-2026

Stolen-credential/compromised-pipeline compromise of the jscrambler npm package (v8.14.0 through 8.20.0, 2026-07-11) pushing a Rust infostealer via an undocumented preinstall hook, later relocated to a self-executing dist/index.js function to evade install-script scanners; detected by Socket six minutes after publication, v8.22.0 clean (Socket / The Hacker News, 2026-07-11).

Coverage timeline
1
first 2026-07-12 → last 2026-07-12
Peak priority
notable
1 notable
Sources cited
2
2 hosts
Sections touched
1
weekly-long-running
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
3
pinned v19.1 · see below

ATT&CK techniques

3 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1195.002Supply Chain Compromise: Compromise Software Supply Chain×1

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.

Evidence: 2026-07-12/weekly-w28-npm-supply-chain-wave · ATT&CK page ↗

Stealth TA0005

T1027Obfuscated Files or Information×1

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

Evidence: 2026-07-12/weekly-w28-npm-supply-chain-wave · ATT&CK page ↗

Credential Access TA0006

T1552.001Unsecured Credentials: Credentials In Files×1

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

Evidence: 2026-07-12/weekly-w28-npm-supply-chain-wave · ATT&CK page ↗

Story timeline

  1. 2026-07-12npm supply-chain wave status: jscrambler package compromised this week, extending the install-hook-evasion pattern seen in the injectivelabs SDK
    weekly-long-runningnpm supply-chain wave — jscrambler (v8.14.0-8.20.0) pushed a Rust infostealer, moving the dropper out of the preinstall hook to evade scanners

Where this entity is cited

  • weekly-long-running1

Source distribution

  • socket.dev1 (50%)
  • thehackernews.com1 (50%)

explore in graph

Entries about jscrambler npm supply-chain compromise (2026-07) (1)

2026-07-12 · view entry permalink →

NOTABLENATOB1

npm supply-chain wave status: jscrambler package compromised this week, extending the install-hook-evasion pattern seen in the injectivelabs SDK

The software-supply-chain pressure on the npm ecosystem that this pipeline has tracked as a sustained wave continued this week, with a fresh compromise that sharpens the evasion trend rather than repeating it.

On 2026-07-11 the jscrambler npm package — a code-protection/obfuscation build tool — was compromised via what Socket assesses as a stolen publishing credential or compromised build pipeline: a malicious v8.14.0 pushed directly to npm, bypassing the project's normal release flow, adding an undocumented preinstall hook that unpacks and detached-spawns a platform-specific Rust infostealer on npm install alone. The stealer targets cloud metadata-endpoint credentials, Kubernetes configs, browser secrets, crypto-wallet seeds, AI coding-tool configs and messaging tokens. The notable evolution: over roughly three hours the actor pushed four more malicious releases and, "starting with 8.18.0 the install hook is gone entirely—the identical dropper is instead injected as a self-executing function at the top of dist/index.js" — moving execution out of the very hook that install-script scanners watch (Socket, 2026-07-11). Socket "detected the compromised package 6 minutes after publication"; v8.22.0 is confirmed clean (The Hacker News, 2026-07-11). This is the same install-hook-evasion arc as this week's injectivelabs SDK compromise, though — unlike the Shai-Hulud worm strain — jscrambler has not been shown to self-propagate to other maintainers.

Starting with 8.18.0 the install hook is gone entirely—the identical dropper is instead injected as a self-executing function at the top of dist/index.js.

Socket detected the compromised package 6 minutes after publication.

Socket

Builds on: 2026-07-10/injectivelabs-npm-runtime-keyhook-supply-chain-evasion · 2026-06-29/npm-supply-chain-worms-a-sustained-wave-across-the-week

synthesis12 Jul 23:48Zmulti-sourceOpen finding ↗