Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Multiple Jscrambler Packages Impacted by Supply Chain Attack

A threat actor poisoned several Jscrambler NPM package versions to drop a cross-platform credential stealer.

supply chain threat

Several malicious versions of Jscrambler’s NPM package were published over the weekend as part of a supply chain attack involving compromised credentials.

The popular NPM package is used within the Jscrambler Code Integrity product, a JavaScript protection solution that turns web and mobile applications self-defensive and tamper-resistant.

The attack started on July 11, when a threat actor used the NPM publishing credentials to push a modified version of the package, containing a preinstall hook to drop binaries during the installation process.

While Jscrambler was responding to the incident, the threat actor published additional malicious iterations of the package, namely 8.16, 8.17, 8.18, and 8.20. The first clean version of the package is 8.22.

As the NPM library is a dependency for other packages, the incident also affected Jscrambler-webpack-plugin version 8.6.2, gulp-Jscrambler version 8.6.2, grunt-Jscrambler version 8.5.2, and Jscrambler-metro-plugin version 9.0.2.

According to Jscrambler, NPM data shows that the malicious package versions were downloaded 1,479 times before they were deprecated and replaced with clean versions.

Advertisement. Scroll to continue reading.

“Our investigation indicates that the attacker was able to publish the package using an NPM publishing credential. We have revoked and rotated all relevant credentials, passwords, and secrets, and have implemented additional security controls around our publishing process while the investigation continues,” Jscrambler said.

According to supply chain security firm Socket, the malicious package versions included the preinstall hook, two new files under dist/, namely setup.js and intro.js, and binaries targeting Linux, macOS, and Windows.

When the malicious package version is installed, the hook triggers the infection chain: setup.js is executed to load and execute a platform-specific binary from intro.js.

Written in Rust, the binaries are information stealers targeting credentials and secrets on developer and cloud-operator machines, cryptocurrency wallets and seed phrases, AI coding assistants and MCP server configurations, messaging and collaboration applications, browsers, Steam sessions, and OS keyrings.

The malware also attempts to elevate its privileges and achieve persistence, and performs host reconnaissance.

Socket observed the malware exfiltrating harvested information over TLS via rustls, likely to a drop server. Additionally, the malware constructed requests to query cloud and orchestration APIs using stolen credentials.

Users are advised to immediately remove the affected Jscrambler NPM package versions from their machines, scan the system for malware, and rotate all credentials, tokens, and API keys.

Related: Ghost Accounts Abuse GitHub API in Mass Recon Campaign

Related: North Korean Hackers Target Open Source Developers in Supply Chain Attacks

Related: Network of 200 GitHub Repositories Used for Malware Infection

Related: FortiBleed Campaign Linked to INC, Lynx Ransomware Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

BlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.

Solana Foundation has appointed Michael Coates as Chief Information Security Officer.

Michael Sikorski has joined Coinbase as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.