Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install
Jul 11, 2026
Software Supply Chain / Malware
Version 8.14.0 of the jscrambler npm package shipped with a malicious preinstall hook that silently drops and runs a native infostealer during installation, one build each for Windows, macOS, and Linux. Version 8.14.0 of the jscrambler npm package shipped with a malicious preinstall hook that silently drops and runs a native infostealer during installation, one build each for Windows, macOS, and Linux. Published on July 11, 2026, it needs no import and no CLI call. Installing 8.14.0 is enough to run it. Socket flagged the release six minutes after it was published . If you or one of your build systems pulled it in that window, the payload has already run with whatever access your install process had. The hook fires before the package is even set up, and none of it appears in the prior release, 8.13.0. The package diff shows two new files under dist/: setup.js, a small loader, and intro.js, wh...