Security

Jscrambler Package Injects Infostealer Into AI Coding Tools

4 min read
Monitor with an npm terminal and a red security warning next to suspicious code – symbolic image of a supply-chain attack. Image generated with GPT Image 2
Monitor with an npm terminal and a red security warning next to suspicious code – symbolic image of a supply-chain attack.

TL;DR Too Long; Didn’t read

A compromised publishing token let attackers release five malicious versions of the JavaScript package Jscrambler on npm. The embedded infostealer specifically searched infected machines for API keys from Claude Desktop, Cursor, Windsurf, and other AI coding tools. Security researchers say they halted the spread within minutes; Jscrambler recommends all users update to version 8.22.0.

Key takeaways

  • Five manipulated Jscrambler versions appeared on npm on July 11, 2026, between 15:12 and 17:53 UTC.
  • The infostealer targeted six AI coding tools: Claude Desktop, Cursor, Windsurf, VS Code, Zed, and Factory.
  • On Linux systems, the malware used eBPF techniques and partly communicated with attacker infrastructure via Tor.
  • Security vendor Socket flagged the first malicious version within six minutes of publication, according to its own account.
  • Jscrambler confirmed a stolen publishing access token and names version 8.22.0 as the safe update.
  • The package logged about 15,800 weekly downloads on the npm registry before the incident.

Unknown attackers published five manipulated versions of the npm package Jscrambler on July 11, 2026, containing an infostealer written in Rust. The malware specifically searched for credentials belonging to AI coding tools such as Claude Desktop and Cursor, as well as cloud access keys and cryptocurrency wallets. Security vendor Socket discovered the first affected version within six minutes, according to its own account.

Five Versions Spread Malware Within Three Hours

Attackers published the first manipulated release, 8.14.0, at 15:12 UTC using a compromised npm publishing token. Four more versions followed by 17:53 UTC: 8.16.0, 8.17.0, 8.18.0, and 8.20.0. In between, version 8.15.0 briefly appeared unmodified, complicating automatic detection. According to StepSecurity, the early versions used a previously undocumented preinstall hook that unpacked and launched a binary disguised as JavaScript, 7.8 megabytes in size. Starting with version 8.18.0, the attackers switched methods: the malicious code now ran simply when the package was imported into the main module, rather than during installation. This bypassed the widely used —ignore-scripts protection that many development teams rely on against malicious install scripts. The payload contained separate, Rust-compiled programs for Windows, macOS, and Linux, with an additional function on Linux to load eBPF code into the kernel. According to Socket’s technical analysis, the actual programs were hidden inside an obfuscated container with its own five-byte signature header; each platform variant was individually secured with the ChaCha20-Poly1305 encryption scheme. Just days earlier, on July 8, 2026, npm had disabled install scripts by default in version 12 — a safeguard that the second attack variant, starting with version 8.18.0, specifically circumvented.

Infostealer Specifically Targets Credentials From AI Tools

The malware scanned infected machines for configuration files belonging to Claude Desktop, Cursor, Windsurf, VS Code, Zed, and Factory. Through these, it harvested both API keys and credentials for the Model Context Protocol. As The Hacker News reports, this target sat alongside classic loot such as AWS, Azure, and Google Cloud credentials, Kubernetes endpoints, and Bitwarden’s password vaults. The infostealer also searched browser extensions for cryptocurrency wallets such as MetaMask, Phantom, and Exodus for seed phrases, and captured session data from Discord, Slack, Telegram, and Steam. To access saved browser passwords from Chrome, Edge, Brave, Vivaldi, Opera, and Firefox, the malware used an embedded SQLite engine. For wallet data, it additionally used the LevelDB format, supplemented by a BIP39-standard wordlist for recognizing crypto seed phrases. On Windows and macOS, the malware set up hidden scheduled tasks or LaunchAgents, respectively, to remain active after a restart. Communication with the attacker infrastructure ran encrypted over fixed IP addresses as well as Tor nodes. Jscrambler counted roughly 15,800 weekly downloads before the incident; how many installations actually received one of the five manipulated versions has not been independently verified.

Jscrambler Revokes Credentials and Advises an Update

In a security advisory, Jscrambler confirmed the unauthorized publication via a compromised publishing access token and stressed that the incident affected only this one package. The company revoked the affected credentials, removed the five manipulated versions, and hardened its own publishing pipeline. Jscrambler names 8.22.0 as the safe version; earlier, unmodified releases such as 8.13.0 are also considered safe. Security vendor Socket flagged the first manipulated version automatically six minutes after publication; additional technical analyses came from StepSecurity and SafeDep. According to SafeDep, npm reportedly recorded no downloads of the manipulated versions in the meantime, though server-side confirmation is still pending. Security teams that had integrated the package should, based on the analysis by StepSecurity and SafeDep, check the following steps:

  • Update to version 8.22.0 or roll back to the last unmodified release, 8.13.0
  • Check affected workstations and CI runners for connections to the IP addresses 37.27.122.124 and 57.128.246.79, as well as to Tor services
  • Rotate credentials for cloud accounts, AI coding tools, and password vaults
  • Move cryptocurrency from potentially affected devices to newly created wallets

What remains unclear is how the attackers obtained Jscrambler’s npm publishing token — the company has not yet published any findings on this. The incident also shows that AI-connected development tools now count as a distinct attack surface: credentials for the Model Context Protocol were explicitly part of the loot list alongside cloud keys and crypto wallets.

Frequently asked questions

Which version of Jscrambler is safe?

Version 8.22.0 is considered clean, as are earlier, unmodified releases up to and including 8.13.0. Versions 8.14.0 through 8.20.0, except 8.15.0, are affected.

Were only users of AI coding tools affected?

No. The infostealer also harvested cloud credentials, crypto wallets, password vaults, and login data for messaging services like Discord and Telegram.

How can I tell if my system was affected?

Check the node_modules/jscrambler/dist folder for a suspicious file named intro.js, and check for network connections to the IP addresses and Tor domains published by Socket and StepSecurity.

What should affected development teams do now?

Besides updating the version, teams should rotate all credentials accessible from the machine and migrate cryptocurrency to newly created wallets.

Is Jscrambler itself still compromised?

According to the company, it has revoked the affected credentials and hardened its publishing pipeline. No published findings are yet available on exactly how the access occurred.


← Back to the blog