The Jscrambler client-side web security company disclosed that a threat actor published a malicious version of its npm package that has been downloaded almost 1,500 times.
The malicious Jscrambler package spanned releases 8.14, 8.16, 8.17, and 8.20 and included information-stealing malware that executed during the ‘preinstall’ hook.
“Today, we identified the unauthorized publication of a malicious version of our jscrambler npm package, which is used with our Code Integrity product,” Jscrambler says in a warning on Saturday.
“This incident was limited to that package and did not affect any other Jscrambler products, including Webpage Integrity,” the company said.
Although Jscrambler reacted quickly, the malicious package lasted for two hours before the developer deprecated it and released the safe version 8.22.
The affected package was a dependency for four other Jscrambler packages, which the vendor has also deprecated and replaced with new versions.
Jscrambler is a commercial platform for protecting web and mobile JavaScript applications from reverse engineering and tampering.
Its npm package has 17,000 weekly downloads and enables app developers to upload their JavaScript to Jscrambler’s service to protect the code from alteration. This helps defend against real-time modifications like injecting malicious code.
Application-security company Socket detected the compromise and analyzed the unauthorized Jscrambler release. The researchers say that the package included an infostealer that targeted multiple types of sensitive data:
Socket reports that the malware used strong per-string obfuscation via the ChaCha20-Poly1305 encryption algorithm, which made it difficult to reverse-engineer the code.
According to Jscrambler, the compromise was possible due to compromised npm publishing credentials, which the company has revoked.
Following the incident, additional security controls have been implemented for the publishing pipeline.
Developers who have used the malicious npm packages should treat their environments as compromised, rotate all secrets, and restore from safe backups.
Jscrambler recommends that customers make sure that they are using the latest version of the product.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Popular node-ipc npm package compromised to steal credentials
New Shai-Hulud malware wave compromises 600 npm packages
Shai Hulud attack ships signed malicious TanStack, Mistral npm packages
New IronWorm malware hits 36 packages in npm supply-chain attack
Injective SDK on npm infected with cryptocurrency wallet stealer
Claude Fable 5 stays free for paid users until July 19 as Anthropic buys more time
Australia warns of global campaign targeting vulnerable CMS platforms
‘Ghostcommit’ hides prompt injection in images to fool AI agents, steal secrets
How Mature Is Your AI Security Program? Take the Free AI Maturity Assessment.
#1 MSP Benchmark report 2026: Insights from 1,000+ MSPs on growth, security, artificial intelligence, and key 2026 trends.
Your Scanners Are Green. Your Pipeline Might Not Be. Here’s How to Close the Gap.
AI is a data-breach time bomb: Read the new report?utm_source=bleepingcomputer&utm_medium=referral&utm_campaign=bleepingcomputer_referral&utm_content=article
Overdue a password health-check? Audit your Active Directory for free
Terms of Use – Privacy Policy – Ethics Statement – Affiliate Disclosure
Read our posting guidelinese to learn what content is prohibited.



