Snyk has reported that there have been attempts or successful attacks targeting this vulnerability.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsAvoid using all malicious instances of the jscrambler package.
jscrambler is a Jscrambler Code Integrity API client.
Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a cross-platform infostealer. A malicious actor compromised an npm publishing credential associated with Jscrambler, which allowed the attacker to publish tampered versions of the package to npm.
Maintainer’s Notice
Jscrambler has confirmed the unauthorized publication, revoked and rotated its publishing credentials and related secrets, and deprecated the affected releases. For the official report, see https://jscrambler.com/blog/security-advisory-malicious-npm-package
Malware Behavior The malicious payload is designed to silently drop and execute a Rust-built, cross-platform infostealer tailored to the victim's operating system (Linux, macOS, or Windows). The malware aggressively targets developer environments to harvest cryptocurrency wallets, AI coding assistant configurations (like Claude Desktop and Cursor), cloud credentials (AWS, GCP, Azure), messaging app tokens, and OS keyrings. The infostealer encrypts its configuration strings using ChaCha20-Poly1305 and exfiltrates the harvested data to an external server over TLS.
Notes:
This issue is particularly relevant to developers and CI/CD pipelines. Early malicious versions executed automatically during npm install via a preinstall hook, while later versions trigger when the package is imported or the CLI is run.
The native executables are embedded in a 7.8 MB obfuscated CSI container disguised as dist/intro.js.
If you installed one of the compromised releases, you should consider your system compromised, immediately rotate any credentials accessible to the environment, and verify the installation of a safe version.