PROBABLYPWNED
MalwareJuly 12, 20263 min read

jscrambler npm Compromise Drops Rust Stealer Targeting AI Tools

Attackers hijacked the jscrambler npm package to deploy a cross-platform Rust infostealer that harvests credentials from AI coding assistants, cloud platforms, and crypto wallets.

James Rivera

A supply chain attack targeting the popular jscrambler npm package deployed a sophisticated Rust-based infostealer designed to harvest credentials from AI coding assistants, cloud platforms, cryptocurrency wallets, and password managers. The malicious code was live for hours before security researchers detected the compromise.

The attack, discovered by Socket Security on July 11, 2026, exploited a compromised npm publishing credential to push version 8.14.0 directly to the registry without corresponding commits in the public GitHub repository. The package sees significant weekly downloads among developers using JavaScript obfuscation tools.

How the Attack Worked

The attacker embedded a cross-platform payload in two files: setup.js functions as a loader that extracts the appropriate binary, while intro.js contains a 7.8MB blob holding three gzip-compressed native binaries targeting Windows, macOS, and Linux systems.

A preinstall hook triggers the payload immediately upon installation. Unlike typical supply chain attacks that wait for runtime, this one executes during the install phase itself, meaning developers running npm install on projects depending on jscrambler would be compromised before writing a single line of code.

The Rust stealer collects an unusually broad range of sensitive data. Beyond traditional browser credentials and cookies, it specifically targets AI coding tool configurations from Claude Desktop, Cursor, Windsurf, VS Code, and Zed. It also harvests cloud credentials from AWS, Azure, and Google Cloud metadata endpoints, cryptocurrency seed phrases from MetaMask, Phantom, and Exodus, and Bitwarden password vaults.

Linux builds include kernel eBPF program injection capability, while Windows and macOS variants feature anti-debugging checks and persistence mechanisms through scheduled tasks and LaunchAgents respectively.

Five Malicious Versions Identified

Initial detection caught version 8.14.0 just six minutes after publication. But the attacker didn't stop there. Socket identified four additional poisoned releases: 8.16.0, 8.17.0, 8.18.0, and 8.20.0, all published within approximately three hours of the first detection.

The clean replacement version 8.22.0 is now available, and developers should immediately upgrade and remove any cached copies of the compromised versions from their systems.

Targeting Developers and Their Secrets

This attack fits a pattern we've tracked throughout 2026 where supply chain compromises increasingly target developer tooling and credentials. Unlike consumer-focused malware, these campaigns prioritize access to cloud infrastructure, source code repositories, and internal systems.

The specific focus on AI coding assistants represents an evolution in attacker priorities. As developers integrate tools like Cursor and other AI assistants into their workflows, the API keys and session tokens stored in these configurations become high-value targets.

What You Should Do

Anyone who installed jscrambler between July 11 and the publication of version 8.22.0 should treat their development environment as compromised.

  1. Remove compromised versions from lockfiles and npm caches immediately
  2. Audit for persistence by checking Windows Task Scheduler and macOS LaunchAgents for unfamiliar entries
  3. Rotate all credentials including cloud access keys, npm/GitHub tokens, AI tool API keys, and cryptocurrency wallet seeds
  4. Revoke active sessions for browsers, Slack, Discord, Telegram, and password managers

The malware communicates with command-and-control servers at 37.27.122.124 and 57.128.246.79, and uses Tor infrastructure for fallback connectivity. Network monitoring teams should check logs for connections to these endpoints.

Supply Chain Security Remains Fragile

The attack arrived just three days after npm 12 shipped with install scripts disabled by default. That change would have blocked this specific vector, but most production systems haven't yet upgraded to the new npm version.

Organizations relying on JavaScript dependencies should implement package pinning, audit new releases before deployment, and consider tools that detect suspicious package behavior during install phases. For guidance on protecting development environments, see our online safety tips covering credential hygiene and supply chain risks.

Related Articles