Overview

Heads up: the jscrambler package published version 8.14.0 contained a sneaky installer step that writes and runs a native binary on install. The bad bit lives in a preinstall hook that unpacks a platform-specific executable from a bulky JavaScript payload and launches it from the system temp directory. That native drop is a Rust infostealer built for Linux, Windows, and macOS.

The malicious files were included only in the npm artifact for 8.14.0 — they do not exist in the public repo history or normal release flow. The release was pushed from a legitimate maintainer account, which suggests either an npm account compromise or a hijacked build pipeline.

Once executed the payload aggressively harvests developer-focused secrets (cloud creds, CI metadata, API keys, wallets, password managers, browser data, chat sessions, and AI-tool config files) and sends them off over TLS. On Linux it can even load an eBPF program into the kernel, which is far scarier than mere file reads. The Windows and macOS builds include anti-debugging and persistence tricks (hidden scheduled tasks on Windows, LaunchAgents on macOS).

What to do now

Short version: if you ever installed [email protected], assume secrets are stolen and act like you mean it. The stealer does its work in seconds during install.

  • Stop installing 8.14.0. Upgrade to 8.15.0 or pin to the pre-incident 8.13.0. Remove any references to [email protected] from lockfiles and CI caches.
  • Check whether 8.14.0 ran: search lockfiles, package-manager logs, and CI run logs for [email protected] or any invocation of dist/setup.js since the release date. The loader writes the executable under a random name to the temp folder, so line up install timestamps with child-process activity and temp-file creation rather than searching for a fixed filename.
  • Inspect endpoints for persistence: on Windows look for hidden scheduled tasks, on macOS check ~/Library/LaunchAgents for unfamiliar plists, and on Linux look for strange or recently created hidden files in /tmp or similar temp dirs.
  • If you confirm execution, assume compromise: rotate cloud credentials (AWS, Azure, Google Cloud), CI and token secrets, npm/GitHub credentials, AI-tool API keys and MCP credentials, and revoke affected sessions (Discord, Slack, browser, Bitwarden). Move any cryptocurrency out of wallets found on the host.
  • Harden your toolchain: use npm 12+ where install scripts are disabled by default unless approved, audit maintainer accounts and CI pipelines for strange access, and consider pinning production builds to known-clean versions or using an allowlist for install hooks.
  • Block known attacker network addresses at your perimeter if possible and inspect outbound traffic from build hosts for connections to unusual IPs or Tor-related endpoints.

Indicators of compromise

Malicious package:

SHA-256 hashes (added files and native payloads):

  • dist/setup.js: a742de963f14a92d24ebcbc7b44ac867e23a20d31d1b0094a13a4f83287f4e60
  • dist/intro.js: a41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86
  • Linux payload: fbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bd
  • Windows payload: b7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903
  • macOS payload: c8fd47d36bdf7c825378593ab82ed8c24d1dc52e26b507812393e24e1d5201fd

Observed network indicators:

  • C2 IP: 37.27.122[.]124
  • C2 IP: 57.128.246[.]79
  • Tor-related infrastructure: check.torproject[.]org, archive.torproject[.]org (seen as part of connectivity/routing behavior)

On-host artifacts:

  • A randomly named hidden file in the system temp directory (e.g. .{random} or .{random}.exe on Windows)
  • Hidden Windows scheduled task configured to run frequently
  • A macOS LaunchAgent plist used for persistence

Final note: the package had a modest weekly download count, but the attackers were clearly targeting build and CI environments where a single compromised job can leak high-value secrets. If your toolchain touched 8.14.0, treat the incident as high-priority.