The jscrambler npm package version 8.14.0 was compromised with a preinstall hook that drops a Rust infostealer for Windows, macOS, and Linux, targeting developer secrets, cloud credentials, wallets, and AI tool config files. The malicious release was published directly to npm from a legitimate maintainer account, and users who installed it may have already exposed sensitive data before 8.15.0 replaced it. #jscrambler #npm #ShaiHulud
Keypoints
- jscrambler 8.14.0 was published with a malicious preinstall hook.
- The package dropped native payloads for Windows, macOS, and Linux.
- The infostealer targeted cloud keys, wallets, browser data, and developer sessions.
- It also collected AI coding tool configs and MCP credentials.
- 8.14.0 was pushed outside the normal release flow and remains risky in lockfiles and caches.
Read More: https://thehackernews.com/2026/07/compromised-jscrambler-8140-npm-release.html