2026-07-12 · view entry permalink →
npm supply-chain wave status: jscrambler package compromised this week, extending the install-hook-evasion pattern seen in the injectivelabs SDK
The software-supply-chain pressure on the npm ecosystem that this pipeline has tracked as a sustained wave continued this week, with a fresh compromise that sharpens the evasion trend rather than repeating it.
On 2026-07-11 the jscrambler npm package — a code-protection/obfuscation build tool — was compromised via what Socket assesses as a stolen publishing credential or compromised build pipeline: a malicious v8.14.0 pushed directly to npm, bypassing the project's normal release flow, adding an undocumented preinstall hook that unpacks and detached-spawns a platform-specific Rust infostealer on npm install alone. The stealer targets cloud metadata-endpoint credentials, Kubernetes configs, browser secrets, crypto-wallet seeds, AI coding-tool configs and messaging tokens. The notable evolution: over roughly three hours the actor pushed four more malicious releases and, "starting with 8.18.0 the install hook is gone entirely—the identical dropper is instead injected as a self-executing function at the top of dist/index.js" — moving execution out of the very hook that install-script scanners watch (Socket, 2026-07-11). Socket "detected the compromised package 6 minutes after publication"; v8.22.0 is confirmed clean (The Hacker News, 2026-07-11). This is the same install-hook-evasion arc as this week's injectivelabs SDK compromise, though — unlike the Shai-Hulud worm strain — jscrambler has not been shown to self-propagate to other maintainers.
Starting with 8.18.0 the install hook is gone entirely—the identical dropper is instead injected as a self-executing function at the top of dist/index.js.
Socket detected the compromised package 6 minutes after publication.
Builds on: 2026-07-10/injectivelabs-npm-runtime-keyhook-supply-chain-evasion · 2026-06-29/npm-supply-chain-worms-a-sustained-wave-across-the-week