8.22.0
12 years ago
8 days ago
Known vulnerabilities in the jscrambler package. This does not include vulnerabilities belonging to this package’s dependencies.
Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.
Fix for free| Vulnerability | Vulnerable Version |
|---|---|
jscrambler is a Jscrambler Code Integrity API client. Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a cross-platform infostealer. A malicious actor compromised an npm publishing credential associated with Jscrambler, which allowed the attacker to publish tampered versions of the package to npm. Maintainer’s Notice Jscrambler has confirmed the unauthorized publication, revoked and rotated its publishing credentials and related secrets, and deprecated the affected releases. For the official report, see https://jscrambler.com/blog/security-advisory-malicious-npm-package Malware Behavior The malicious payload is designed to silently drop and execute a Rust-built, cross-platform infostealer tailored to the victim's operating system (Linux, macOS, or Windows). The malware aggressively targets developer environments to harvest cryptocurrency wallets, AI coding assistant configurations (like Claude Desktop and Cursor), cloud credentials (AWS, GCP, Azure), messaging app tokens, and OS keyrings. The infostealer encrypts its configuration strings using ChaCha20-Poly1305 and exfiltrates the harvested data to an external server over TLS. Notes:
How to fix Embedded Malicious Code? Avoid using all malicious instances of the | =8.14.0=8.16.0=8.17.0=8.18.0=8.20.0 |