Embedded Malicious Code Affecting jscrambler package, versions =8.14.0=8.16.0=8.17.0=8.18.0=8.20.0


Severity

Recommended
0.0
critical
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Attacked

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-JSCRAMBLER-17954275
  • published12 Jul 2026
  • disclosed11 Jul 2026
  • creditSocket Research Team

Introduced: 11 Jul 2026

New Malicious CVE NOT AVAILABLE CWE-506  (opens in a new tab)

How to fix?

Avoid using all malicious instances of the jscrambler package.

Overview

jscrambler is a Jscrambler Code Integrity API client.

Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a cross-platform infostealer. A malicious actor compromised an npm publishing credential associated with Jscrambler, which allowed the attacker to publish tampered versions of the package to npm.

Maintainer’s Notice

Jscrambler has confirmed the unauthorized publication, revoked and rotated its publishing credentials and related secrets, and deprecated the affected releases. For the official report, see https://jscrambler.com/blog/security-advisory-malicious-npm-package

Malware Behavior The malicious payload is designed to silently drop and execute a Rust-built, cross-platform infostealer tailored to the victim's operating system (Linux, macOS, or Windows). The malware aggressively targets developer environments to harvest cryptocurrency wallets, AI coding assistant configurations (like Claude Desktop and Cursor), cloud credentials (AWS, GCP, Azure), messaging app tokens, and OS keyrings. The infostealer encrypts its configuration strings using ChaCha20-Poly1305 and exfiltrates the harvested data to an external server over TLS.

Notes:

  • This issue is particularly relevant to developers and CI/CD pipelines. Early malicious versions executed automatically during npm install via a preinstall hook, while later versions trigger when the package is imported or the CLI is run.

  • The native executables are embedded in a 7.8 MB obfuscated CSI container disguised as dist/intro.js.

  • If you installed one of the compromised releases, you should consider your system compromised, immediately rotate any credentials accessible to the environment, and verify the installation of a safe version.

CVSS Base Scores

version 4.0
version 3.1