Jscrambler 8.14.0 Compromised with Credential Stealer

abhisek2 pts0 comments

Official jscrambler npm Package Compromised at 8.14.0 - Real-time Open Source Software Supply Chain Security

Login Start for Free 1.5k

Back<br>Vet<br>Scan and govern your dependencies across every PR and build.

PMG<br>Block malicious packages at install-time, before they enter your codebase.

xbom<br>Generate AI-enriched BOMs using real code evidence, not just manifests.

GRYPH<br>Monitor every AI coding agent action across your projects and workflows.

Back Discover & Monitor<br>SCA & SBOM Scan dependencies, generate SBOMs, enforce policy.

AI Agent Discovery See every AI tool and SDK in your org.

AI Agent Monitoring Audit every action your AI agents take.

Protect<br>Developer Security Block malicious packages at install-time.

CI/CD Security Block malicious packages in your pipeline.

MCP Server Block threats inside your AI coding agent.

Agent API Threat intelligence API for custom agents.

Threat Intelligence Real-time malicious package verdicts.

Govern<br>Endpoint Protection Package events & AI inventory in the cloud.

Platform Centralized policies, dashboard, compliance.

Login Start for Free 1.5k

Back to Blog

Official jscrambler npm Package Compromised at 8.14.0<br>Malware

SafeDep Team<br>• Jul 11, 2026 • 7 min read

Table of Contents

Open Source · Free<br>Protect your projects from malicious packages<br>PMG wraps your favorite package manager to block malicious packages at install time

Get PMG on GitHub

` rules instead of the old inline `prose-* / [&_…]`<br>modifier string — that string compiled to ~40 complex selectors that<br>Chrome iOS (WKWebView) re-matched on every scroll recalc, blanking the<br>page. Base `prose prose-lg prose-invert` reset is kept.<br>-->

TL;DR

The official jscrambler npm package, published by the legitimate jscrambler_ account ([email protected]), was trojanized at version 8.14.0 on July 11, 2026. The compromised version adds a preinstall hook and two new files absent in 8.13.0: a 43-line JavaScript dropper (dist/setup.js) and a 7.5 MB binary container (dist/intro.js) that bundles gzip-compressed native executables for Linux, Windows, and macOS. The dropper unpacks the platform-matched binary into a hidden temp file and spawns it detached. The dropped binaries are Rust-compiled infostealers that target browser profile data (Chrome, Brave, Edge, Chromium), the Bitwarden password manager extension, and Steam gaming sessions. They install persistence through Windows Task Scheduler and macOS LaunchAgents. No corresponding commit, tag, or release for 8.14.0 exists in the jscrambler GitHub repository, which points to an npm account or CI pipeline compromise. With roughly 60,000 monthly downloads, the blast radius is significant.

Impact:

Installing [email protected] runs a native binary at install time that targets browser credentials across Chrome, Chromium, Brave, and Edge

The Bitwarden browser extension (nngceckbapebfimnlniiiahkandclblb) is explicitly targeted, putting stored vault data at risk

Steam session cookies (steamLoginSecure, sessionid) are harvested

The payload installs persistent scheduled tasks (Windows) or LaunchAgents (macOS) that survive reboots

All existing dist/ files are byte-identical to 8.13.0. Only the dropper and binary container were added

Indicators of Compromise (IoC):

Compromised package: [email protected] (npm)

Clean version: [email protected]

Binary container magic bytes: 1b 43 53 49 01 (\x1bCSI\x01)

SHA256 (Linux ELF x86-64): fbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bd

SHA256 (Windows PE x86-64): b7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903

SHA256 (macOS Mach-O arm64): c8fd47d36bdf7c825378593ab82ed8c24d1dc52e26b507812393e24e1d5201fd

Bitwarden extension ID targeted: nngceckbapebfimnlniiiahkandclblb

Embedded hash (Windows binary): 9eeffcb5c3445ef9512f7776045f99ea23f9ebed989f8570bc4634b4e340de5d

Host artifacts: hidden dotfiles in os.tmpdir() (.{random} on Linux/macOS, .{random}.exe on Windows)

Windows Task Scheduler XML with true, restart interval PT1M, count 999

macOS LaunchAgent plist with RunAtLoad, KeepAlive, StartInterval 30s

Analysis

The compromise surface

Jscrambler is a commercial JavaScript protection platform. Their official npm CLI client, published under the jscrambler_ account ([email protected]), has ten maintainers, several with @jscrambler.com email addresses.

# Registry metadata for jscrambler

Maintainers: jscrambler_ ([email protected]),

antonio.soares ([email protected]),

jose.cerqueira ([email protected]),

f-ribeiro ([email protected]),

vitormagano ([email protected]),

... and 5 others

Version 8.13.0 was published on June 30, 2026, matching a GitHub commit from the same day. Version 8.14.0 appeared on July 11, 2026, with no corresponding GitHub commit, tag, or pull request. The GitHub repo’s latest tag is [email protected]. The attacker published directly to npm, bypassing the project’s normal release workflow.

The other packages in the jscrambler ecosystem (jscrambler-webpack-plugin,...

email protected jscrambler package windows time

Related Articles