jscrambler npm Package Compromised in Supply Chain Attack

jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release, starting with 8.14.0 and later versions, delivered hidden native binaries that ran automatically during install or package execution to steal developer and cloud credentials. The payload targeted wallets, AI coding tools, cloud services, messaging apps, browsers, and system keyrings, while Socket detected the first malicious version within 6 minutes of publication. #jscrambler #Socket #ClaudeDesktop #Cursor #Windsurf #MetaMask #TrustWallet #CoinbaseWallet #Phantom

Keypoints

  • The malicious jscrambler package version 8.14.0 introduced hidden native binaries that executed automatically during npm install.
  • Version 8.14.0 added an undocumented preinstall hook that ran dist/setup.js before any application code.
  • The package included new files dist/setup.js and dist/intro.js, plus platform-specific payloads for Linux, macOS, and Windows.
  • Socket detected and flagged the compromised release just 6 minutes after it was published.
  • Later malicious releases 8.16.0, 8.17.0, 8.18.0, and 8.20.0 reused the same payload but changed delivery to bypass script-only detection.
  • The malware targeted developer and cloud-operator secrets, including wallets, AI tooling configs, cloud credentials, messaging apps, browsers, and OS keyrings.
  • Jscrambler revoked publishing credentials, deprecated the affected versions, and confirmed unauthorized publication via an npm credential.

MITRE Techniques

  • [T1195.002 ] Compromise Software Supply Chain – The attacker tampered with the npm package releases to deliver malicious code to downstream users [‘A compromised release of the popular jscrambler npm package introduced hidden native binaries’ and ‘This creates potential exposure across developer workstations, automated build systems, and CI environments.’]
  • [T1059.007 ] Command and Scripting Interpreter: JavaScript – The dropper was executed through npm package JavaScript files and hooks [‘an undocumented preinstall hook that invokes dist/setup.js’ and ‘the identical dropper is instead injected as a self-executing function at the top of dist/index.js and dist/bin/jscrambler.js’]
  • [T1105 ] Ingress Tool Transfer – The malicious package delivered embedded binaries and dropped them to the temp directory for execution [‘payloads are embedded in an obfuscated CSI container’ and ‘Decompresses it to a randomly named hidden file in the system temp directory’]
  • [T1027 ] Obfuscated Files or Information – The payloads and strings were hidden through an obfuscated container and per-string encryption [’embedded in an obfuscated CSI container’ and ‘Each is individually encrypted with ChaCha20-Poly1305’]
  • [T1106 ] Native API – The loader used system-level process execution to run the dropped binary [‘Launches it with spawn(…, { detached: true, stdio: “ignore”, windowsHide: true }) followed by unref()’]
  • [T1036 ] Masquerading – The malicious binary was disguised as a .js file and hidden files in temp were used to avoid attention [‘intro.js, despite its name and .js extension, is not JavaScript at all’ and ‘randomly named hidden file in the system temp directory’]
  • [T1057 ] Process Discovery – The malware selected the payload based on the host platform [‘selects the single blob matching process.platform’ and ‘depending on whether it is installed on Windows, macOS, or Linux’]
  • [T1552.001 ] Unsecured Credentials: Credentials In Files – It searched for sensitive credentials, tokens, and config files on the system [‘configuration for AI developer tooling, which frequently holds API keys’ and ‘credentials.db, access_tokens.db, application_default_credentials.json’]
  • [T1528 ] Steal Application Access Token – It targeted browser, messaging, cloud, and service tokens for exfiltration [‘Browser-extension wallets are targeted’ and ‘Discord … /api/v9/users/@me and guild enumeration’]
  • [T1555.003 ] Credentials from Password Stores: Credentials from Web Browsers – It harvested browser profiles, cookies, and stored data from Chromium and Firefox [‘Chrome, Chromium, Edge, Brave, Vivaldi, and Opera’ and ‘Firefox — profiles.ini, cookies.sqlite, prefs.js’]
  • [T1053.002 ] Scheduled Task/Job: Cron – Persistence references include cron-based execution on Linux [‘Persistence references include systemd user and system units, crontab, and macOS LaunchAgents’]
  • [T1005 ] Data from Local System – The malware gathered local machine identifiers and host data for reconnaissance [‘machine fingerprinting via /etc/machine-id, /var/lib/dbus/machine-id, and /sys/class/dmi/id/board_serial’]
  • [T1041 ] Exfiltration Over C2 Channel – It uploaded harvested data using TLS and multipart HTTP requests [‘outbound exfiltration, carried over TLS via rustls’ and ‘POST /upload HTTP/1.1 request with a multipart/form-data body’]
  • [T1102 ] Web Service – The payload queried cloud and orchestration services to abuse stolen credentials [‘cloud metadata services, Kubernetes (/api/v1/namespaces), AWS Secrets Manager and SSM’]

Indicators of Compromise

  • [Malicious npm package] compromised releases – [email protected], [email protected], and other malicious versions 8.16.0, 8.17.0, 8.18.0
  • [File names] malicious install and payload files – dist/setup.js, dist/intro.js, and dist/index.js
  • [SHA-256 hash] dropped script files – a742de963f14a92d24ebcbc7b44ac867e23a20d31d1b0094a13a4f83287f4e60, a41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86, and 1 more hash
  • [SHA-256 hash] decompressed native payloads – fbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bd, b7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903, and 1 more hash
  • [Domains and endpoints] targeted services and exfiltration paths – server.exodus.io, metadata.google.internal, and check.torproject.org/api/ip
  • [IP addresses] cloud and network endpoints – 169.254.170.2, 169.254.169.254, and 1.1.1.1
  • [GitHub URL] public tracking issue – https://github.com/jscrambler/jscrambler/issues/322


Read more: https://socket.dev/blog/jscrambler-supply-chain-attack