SECURITYTHE HACKER NEWS
Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install
The jscrambler 8.14.0 npm package included a malicious preinstall hook that deploys a Rust-based infostealer for Windows, macOS, and Linux during installation. The compromised version was published on July 11, 2026, and automatically executes the malware without requiring additional commands or imports. Security firm Socket detected and flagged the release six minutes after publication.
Mentioned
Related Signal
Adjacent reporting
- Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware
- Leaked Shai-Hulud malware fuels new npm infostealer campaign
- Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack
- Shai-Hulud malware worms Red Hat npm package versions downloaded 80K times a week
- Shai Hulud attack ships signed malicious TanStack, Mistral npm packages
- Malicious npm Packages Pose as PostCSS Tools to Deliver Windows RAT