
The jscrambler npm package was backdoored five times in three hours on July 11. If your project or CI pipeline pulled any version between 8.14.0 and 8.20.0 — with the brief exception of 8.15.0 — a Rust-built infostealer executed on your machine before a single line of your code ran. It targeted cloud credentials, browser sessions, Bitwarden vaults, AI tool API keys, and crypto wallet seeds, then shipped everything to a remote server over TLS. jscrambler has confirmed the cause: a stolen npm publishing credential.
What Happened
On July 11, 2026, a threat actor compromised the jscrambler npm account and pushed a malicious preinstall hook into version 8.14.0. Socket.dev flagged it six minutes after publication — and the attacker spent the next three hours publishing four more compromised releases (8.16.0, 8.17.0, 8.18.0, 8.20.0), adapting the attack each time as defenders responded.
The initial versions (8.14.0 through 8.17.0) used a classic preinstall hook: a node script that unpacked a 7.8MB binary container holding native infostealers for Linux, macOS, and Windows, then launched the right one silently in the background. But here’s the part most coverage has missed.
The Part npm 12 Doesn’t Fix
npm 12 shipped on July 8 — three days before this attack — with install scripts disabled by default. For the preinstall-hook versions (8.14.0–8.17.0), npm 12 users got accidental protection. If you’d already upgraded, those hooks never ran.
Then the attacker adapted.
Versions 8.18.0 and 8.20.0 dropped the preinstall hook entirely and injected the dropper directly into dist/index.js and dist/bin/jscrambler.js as a self-executing function. That means it fires when the package is imported or the CLI is run — not at install time. npm install --ignore-scripts does nothing against this. Hook-based scanners miss it completely. npm 12’s allowScripts mechanism has no visibility into runtime code.
The attacker figured out the defense within hours and went around it. Those two versions (8.18.0 and 8.20.0) are still live on the npm registry and, as of this writing, not marked as deprecated.
What Was Stolen
The infostealer wasn’t built for opportunistic credential collection. It was built for developer machines specifically. The target list reflects that: AWS, Azure, and GCP credentials (including the metadata endpoint tokens CI runners carry), AI tooling configs and MCP server API keys, browser profiles across Chrome, Brave, and Edge, Bitwarden extension data, Steam sessions, and crypto wallet seeds from MetaMask, Phantom, and Exodus. On macOS and Windows, it installed persistence before exiting — LaunchAgents and Task Scheduler entries that survive a reboot.
Developers are the target because developers have access to everything. Your machine holds the keys to staging and production, your org’s cloud accounts, your team’s deployment pipelines, and whatever you’ve been building with AI tooling. That’s not collateral — it’s the point.
What To Do Right Now
First: confirm your exposure. Run npm ls jscrambler and check your lockfile history. If any version from 8.14.0 to 8.20.0 (excluding 8.15.0) appears, assume your machine was compromised and act accordingly.
Upgrade to jscrambler@8.22.0 — the current clean version. That step is the easy one.
The harder work is credential rotation. Rotate everything that was on that machine: AWS/GCP/Azure keys, npm and GitHub tokens, AI API keys (Anthropic, OpenAI, any provider you use), MCP server credentials, and your Bitwarden master password and sessions. Log out of all browser sessions and re-authenticate. If crypto wallets were present on that machine, move funds now — wallet seeds are not revocable.
Check for persistence before you declare the machine clean:
- macOS: inspect
~/Library/LaunchAgents/for unfamiliar plist files - Windows: open Task Scheduler and look for tasks with no obvious origin
If this package was in a CI pipeline, pull the build logs from July 11. Look for unexpected executions of dist/setup.js or unusual outbound TLS connections. CI runners carry deployment credentials by design — that’s the blast radius you’re actually managing.
The Bigger Pattern
This is the fourth time in 2026 that a legitimate, widely used npm package has been compromised through a stolen credential. The attacker knew exactly what they were doing: pick a tool developers trust, hit the publishing account, ship before detection. Six minutes between publish and detection sounds fast. It wasn’t fast enough.
npm 12’s install-script blocking is a real improvement. The jscrambler attacker adapted to it in under three hours. The unsolved problem isn’t install hooks — it’s that a compromised maintainer credential still lets an attacker ship arbitrary code that runs whenever your software does.













