Security · 2h ago
Jscrambler npm Package Compromised, Drops Rust Infostealer
Version 8.14.0 of the jscrambler npm package included a malicious preinstall hook that silently installs a Rust-based infostealer on Windows, macOS, and Linux. The attack requires no import or CLI call—simply installing the package triggers the malware. Socket detected the malicious release within six minutes of its publication on July 11, 2026.
Meridian48 take
The speed of detection is reassuring, but the incident underscores how supply-chain attacks can weaponize trusted packages with minimal user interaction.
Read the full reporting
Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install →
The Hacker News
supply-chain-attacknpm-malware