jscrambler npm Compromise Drops Rust Stealer Targeting AI Tools
Attackers hijacked the jscrambler npm package to deploy a cross-platform Rust infostealer that harvests credentials from AI coding assistants, cloud platforms, and crypto wallets.
A supply chain attack targeting the popular jscrambler npm package deployed a sophisticated Rust-based infostealer designed to harvest credentials from AI coding assistants, cloud platforms, cryptocurrency wallets, and password managers. The malicious code was live for hours before security researchers detected the compromise.
The attack, discovered by Socket Security on July 11, 2026, exploited a compromised npm publishing credential to push version 8.14.0 directly to the registry without corresponding commits in the public GitHub repository. The package sees significant weekly downloads among developers using JavaScript obfuscation tools.
How the Attack Worked
The attacker embedded a cross-platform payload in two files: setup.js functions as a loader that extracts the appropriate binary, while intro.js contains a 7.8MB blob holding three gzip-compressed native binaries targeting Windows, macOS, and Linux systems.
A preinstall hook triggers the payload immediately upon installation. Unlike typical supply chain attacks that wait for runtime, this one executes during the install phase itself, meaning developers running npm install on projects depending on jscrambler would be compromised before writing a single line of code.
The Rust stealer collects an unusually broad range of sensitive data. Beyond traditional browser credentials and cookies, it specifically targets AI coding tool configurations from Claude Desktop, Cursor, Windsurf, VS Code, and Zed. It also harvests cloud credentials from AWS, Azure, and Google Cloud metadata endpoints, cryptocurrency seed phrases from MetaMask, Phantom, and Exodus, and Bitwarden password vaults.
Linux builds include kernel eBPF program injection capability, while Windows and macOS variants feature anti-debugging checks and persistence mechanisms through scheduled tasks and LaunchAgents respectively.
Five Malicious Versions Identified
Initial detection caught version 8.14.0 just six minutes after publication. But the attacker didn't stop there. Socket identified four additional poisoned releases: 8.16.0, 8.17.0, 8.18.0, and 8.20.0, all published within approximately three hours of the first detection.
The clean replacement version 8.22.0 is now available, and developers should immediately upgrade and remove any cached copies of the compromised versions from their systems.
Targeting Developers and Their Secrets
This attack fits a pattern we've tracked throughout 2026 where supply chain compromises increasingly target developer tooling and credentials. Unlike consumer-focused malware, these campaigns prioritize access to cloud infrastructure, source code repositories, and internal systems.
The specific focus on AI coding assistants represents an evolution in attacker priorities. As developers integrate tools like Cursor and other AI assistants into their workflows, the API keys and session tokens stored in these configurations become high-value targets.
What You Should Do
Anyone who installed jscrambler between July 11 and the publication of version 8.22.0 should treat their development environment as compromised.
- Remove compromised versions from lockfiles and npm caches immediately
- Audit for persistence by checking Windows Task Scheduler and macOS LaunchAgents for unfamiliar entries
- Rotate all credentials including cloud access keys, npm/GitHub tokens, AI tool API keys, and cryptocurrency wallet seeds
- Revoke active sessions for browsers, Slack, Discord, Telegram, and password managers
The malware communicates with command-and-control servers at 37.27.122.124 and 57.128.246.79, and uses Tor infrastructure for fallback connectivity. Network monitoring teams should check logs for connections to these endpoints.
Supply Chain Security Remains Fragile
The attack arrived just three days after npm 12 shipped with install scripts disabled by default. That change would have blocked this specific vector, but most production systems haven't yet upgraded to the new npm version.
Organizations relying on JavaScript dependencies should implement package pinning, audit new releases before deployment, and consider tools that detect suspicious package behavior during install phases. For guidance on protecting development environments, see our online safety tips covering credential hygiene and supply chain risks.
Related Articles
Hijacked npm and Go Packages Use VS Code Tasks and Blockchain C2
18 compromised packages hide execution in VS Code folder-open tasks, fetch encrypted payloads from blockchain transactions, and deploy Python infostealers.
Jun 30, 202615 JetBrains Plugins With 70K Installs Caught Stealing AI Keys
Malicious JetBrains IDE plugins disguised as AI coding assistants exfiltrated OpenAI and DeepSeek API keys from developers. All 15 plugins have been removed and publisher accounts terminated.
Jun 18, 2026Fake OpenAI Repo Hit #1 on Hugging Face, Stole Windows Credentials
Malicious repository impersonating OpenAI's Privacy Filter reached 244,000 downloads before removal. Infostealer targeted Windows users via trending Hugging Face page.
May 28, 2026npm Package Targeted Claude AI Users, Leaked Own GitHub Token
Malicious npm package mouse5212-super-formatter stole files from Claude AI's working directory. The attacker's own GitHub token was exposed in the code, allowing researchers to trace exfiltration.
May 28, 2026