A compromised jscrambler npm release, starting with 8.14.0 and later versions, delivered hidden native binaries that ran automatically during install or package execution to steal developer and cloud credentials. The payload targeted wallets, AI coding tools, cloud services, messaging apps, browsers, and system keyrings, while Socket detected the first malicious version within 6 minutes of publication. #jscrambler #Socket #ClaudeDesktop #Cursor #Windsurf #MetaMask #TrustWallet #CoinbaseWallet #Phantom
Keypoints
- The malicious jscrambler package version 8.14.0 introduced hidden native binaries that executed automatically during npm install.
- Version 8.14.0 added an undocumented preinstall hook that ran dist/setup.js before any application code.
- The package included new files dist/setup.js and dist/intro.js, plus platform-specific payloads for Linux, macOS, and Windows.
- Socket detected and flagged the compromised release just 6 minutes after it was published.
- Later malicious releases 8.16.0, 8.17.0, 8.18.0, and 8.20.0 reused the same payload but changed delivery to bypass script-only detection.
- The malware targeted developer and cloud-operator secrets, including wallets, AI tooling configs, cloud credentials, messaging apps, browsers, and OS keyrings.
- Jscrambler revoked publishing credentials, deprecated the affected versions, and confirmed unauthorized publication via an npm credential.
MITRE Techniques
- [T1195.002 ] Compromise Software Supply Chain â The attacker tampered with the npm package releases to deliver malicious code to downstream users [âA compromised release of the popular jscrambler npm package introduced hidden native binariesâ and âThis creates potential exposure across developer workstations, automated build systems, and CI environments.â]
- [T1059.007 ] Command and Scripting Interpreter: JavaScript â The dropper was executed through npm package JavaScript files and hooks [âan undocumented preinstall hook that invokes dist/setup.jsâ and âthe identical dropper is instead injected as a self-executing function at the top of dist/index.js and dist/bin/jscrambler.jsâ]
- [T1105 ] Ingress Tool Transfer â The malicious package delivered embedded binaries and dropped them to the temp directory for execution [âpayloads are embedded in an obfuscated CSI containerâ and âDecompresses it to a randomly named hidden file in the system temp directoryâ]
- [T1027 ] Obfuscated Files or Information â The payloads and strings were hidden through an obfuscated container and per-string encryption [âembedded in an obfuscated CSI containerâ and âEach is individually encrypted with ChaCha20-Poly1305â]
- [T1106 ] Native API â The loader used system-level process execution to run the dropped binary [âLaunches it with spawn(âŚ, { detached: true, stdio: âignoreâ, windowsHide: true }) followed by unref()â]
- [T1036 ] Masquerading â The malicious binary was disguised as a .js file and hidden files in temp were used to avoid attention [âintro.js, despite its name and .js extension, is not JavaScript at allâ and ârandomly named hidden file in the system temp directoryâ]
- [T1057 ] Process Discovery â The malware selected the payload based on the host platform [âselects the single blob matching process.platformâ and âdepending on whether it is installed on Windows, macOS, or Linuxâ]
- [T1552.001 ] Unsecured Credentials: Credentials In Files â It searched for sensitive credentials, tokens, and config files on the system [âconfiguration for AI developer tooling, which frequently holds API keysâ and âcredentials.db, access_tokens.db, application_default_credentials.jsonâ]
- [T1528 ] Steal Application Access Token â It targeted browser, messaging, cloud, and service tokens for exfiltration [âBrowser-extension wallets are targetedâ and âDiscord ⌠/api/v9/users/@me and guild enumerationâ]
- [T1555.003 ] Credentials from Password Stores: Credentials from Web Browsers â It harvested browser profiles, cookies, and stored data from Chromium and Firefox [âChrome, Chromium, Edge, Brave, Vivaldi, and Operaâ and âFirefox â profiles.ini, cookies.sqlite, prefs.jsâ]
- [T1053.002 ] Scheduled Task/Job: Cron â Persistence references include cron-based execution on Linux [âPersistence references include systemd user and system units, crontab, and macOS LaunchAgentsâ]
- [T1005 ] Data from Local System â The malware gathered local machine identifiers and host data for reconnaissance [âmachine fingerprinting via /etc/machine-id, /var/lib/dbus/machine-id, and /sys/class/dmi/id/board_serialâ]
- [T1041 ] Exfiltration Over C2 Channel â It uploaded harvested data using TLS and multipart HTTP requests [âoutbound exfiltration, carried over TLS via rustlsâ and âPOST /upload HTTP/1.1 request with a multipart/form-data bodyâ]
- [T1102 ] Web Service â The payload queried cloud and orchestration services to abuse stolen credentials [âcloud metadata services, Kubernetes (/api/v1/namespaces), AWS Secrets Manager and SSMâ]
Indicators of Compromise
- [Malicious npm package] compromised releases â [email protected], [email protected], and other malicious versions 8.16.0, 8.17.0, 8.18.0
- [File names] malicious install and payload files â dist/setup.js, dist/intro.js, and dist/index.js
- [SHA-256 hash] dropped script files â a742de963f14a92d24ebcbc7b44ac867e23a20d31d1b0094a13a4f83287f4e60, a41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86, and 1 more hash
- [SHA-256 hash] decompressed native payloads â fbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bd, b7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903, and 1 more hash
- [Domains and endpoints] targeted services and exfiltration paths â server.exodus.io, metadata.google.internal, and check.torproject.org/api/ip
- [IP addresses] cloud and network endpoints â 169.254.170.2, 169.254.169.254, and 1.1.1.1
- [GitHub URL] public tracking issue â https://github.com/jscrambler/jscrambler/issues/322
Read more: https://socket.dev/blog/jscrambler-supply-chain-attack