Jscrambler npm Package Backdoored with Sophisticated Infostealer Malware
A critical supply chain attack has impacted **Jscrambler**, a client-side web security company, after a malicious version of its npm package was published. The compromised package, downloaded nearly 1,500 times, contained an advanced infostealer designed to exfiltrate sensitive developer and cryptocurrency data. This incident highlights the persistent threats within the software supply chain.
The **Jscrambler** client-side web security company recently disclosed a significant security incident involving its npm package. A threat actor successfully published a malicious version of the package, which was subsequently downloaded almost 1,500 times by unsuspecting developers.
The compromised **Jscrambler** package spanned releases 8.14, 8.16, 8.17, and 8.20. It incorporated information-stealing malware that activated during the 'preinstall' hook of the package installation process.
"Today, we identified the unauthorized publication of a malicious version of our jscrambler npm package, which is used with our Code Integrity product," **Jscrambler** stated in a security advisory. The company confirmed that the incident was isolated to this specific package and did not impact other **Jscrambler** products, including **Webpage Integrity**.
Despite a swift response from **Jscrambler**, the malicious package remained available for approximately two hours before it was deprecated and replaced with a safe version (8.22). The affected package was also a dependency for four other **Jscrambler** packages, all of which have since been deprecated and updated.
Statistical data from **Node Package Manager (npm)** indicates that the malicious package recorded 1,479 downloads during its brief window of availability.
**Jscrambler** provides a commercial platform designed to protect web and mobile JavaScript applications from reverse engineering and tampering. Its npm package, which typically sees 17,000 weekly downloads, enables developers to upload JavaScript code to **Jscrambler**'s service for protection against real-time modifications and malicious code injection.
## Infostealer's Broad Reach
Application-security company **Socket** was instrumental in detecting the compromise and conducting an in-depth analysis of the unauthorized **Jscrambler** release. **Socket** researchers revealed that the included infostealer targeted a wide array of sensitive data, including:
* Source code and project files
* Developer credentials and secrets (Git, SSH, environment variables, CI/CD tokens)
* Cloud credentials and secret managers (AWS, Azure, GCP, Kubernetes)
* AI coding tools and MCP configurations (Claude, Cursor, Windsurf, VS Code, Zed)
* Cryptocurrency wallets and seed phrases (MetaMask, Phantom, Coinbase, Exodus, Trust Wallet)
* Browser data (cookies, saved credentials)
* Messaging and collaboration apps (Slack, Discord, Telegram)
**Socket**'s report further detailed that the malware employed robust per-string obfuscation using the **ChaCha20-Poly1305** encryption algorithm, making reverse-engineering efforts significantly more challenging.
## Post-Incident Actions and Recommendations
**Jscrambler** attributes the compromise to breached npm publishing credentials, which have since been revoked. In response to the incident, the company has implemented additional security controls within its publishing pipeline.
Developers who may have utilized the malicious npm packages are strongly advised to consider their environments compromised. Critical steps include rotating all secrets and restoring systems from known safe backups. **Jscrambler** also urges all customers to ensure they are using the latest, secure version of the product.