jscrambler@8.18.0

Jscrambler Code Integrity API client.

  • latest version

    8.22.0

  • latest non vulnerable version

  • first published

    12 years ago

  • latest version published

    8 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the jscrambler package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • C
    Embedded Malicious Code

    jscrambler is a Jscrambler Code Integrity API client.

    Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a cross-platform infostealer. A malicious actor compromised an npm publishing credential associated with Jscrambler, which allowed the attacker to publish tampered versions of the package to npm.

    Maintainer’s Notice

    Jscrambler has confirmed the unauthorized publication, revoked and rotated its publishing credentials and related secrets, and deprecated the affected releases. For the official report, see https://jscrambler.com/blog/security-advisory-malicious-npm-package

    Malware Behavior The malicious payload is designed to silently drop and execute a Rust-built, cross-platform infostealer tailored to the victim's operating system (Linux, macOS, or Windows). The malware aggressively targets developer environments to harvest cryptocurrency wallets, AI coding assistant configurations (like Claude Desktop and Cursor), cloud credentials (AWS, GCP, Azure), messaging app tokens, and OS keyrings. The infostealer encrypts its configuration strings using ChaCha20-Poly1305 and exfiltrates the harvested data to an external server over TLS.

    Notes:

    • This issue is particularly relevant to developers and CI/CD pipelines. Early malicious versions executed automatically during npm install via a preinstall hook, while later versions trigger when the package is imported or the CLI is run.

    • The native executables are embedded in a 7.8 MB obfuscated CSI container disguised as dist/intro.js.

    • If you installed one of the compromised releases, you should consider your system compromised, immediately rotate any credentials accessible to the environment, and verify the installation of a safe version.

    How to fix Embedded Malicious Code?

    Avoid using all malicious instances of the jscrambler package.

    =8.14.0=8.16.0=8.17.0=8.18.0=8.20.0