🎩 You're Invited:Meet the Socket team at Black Hat in Las Vegas, August 3-6.RSVP
Sign In
Blog
ResearchSecurity News

jscrambler npm Package Compromised in Supply Chain Attack

A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Socket Research Team

July 11, 2026

2 min read

jscrambler npm Package Compromised in Supply Chain Attack
Sidebar CTA Background

Secure your dependencies with us

Socket proactively blocks malicious open source packages in your code.
Install

A compromised release of the popular jscrambler npm package introduced hidden native binaries that execute automatically during npm install, exposing users to a supply chain attack before any application code runs.

The malicious 8.14.0 release, published on July 11, adds an undocumented preinstall hook that invokes dist/setup.js. It also introduces new files, including dist/setup.js and dist/intro.js, along with platform-specific binaries for Linux, macOS, and Windows embedded in an obfuscated CSI container. None of these files or the install hook exist in the previous release, 8.13.0.

Socket detected the compromised package 6 minutes after publication.

The package selects and executes one of three bundled binaries depending on whether it is installed on Windows, macOS, or Linux.

At the time of analysis, the binaries did not exhibit obvious command-and-control, credential theft, or cryptocurrency mining functionality through static analysis alone. However, the introduction of undocumented native binaries that execute automatically during installation is malicious behavior and consistent with software supply chain compromise.

At a glance

  • Compromised package: jscrambler@8.14.0
  • Published: July 11, 2026
  • Weekly downloads: ~15,800
  • Time to detection: 6 minutes

Key findings

  • Undocumented preinstall hook executes code automatically during npm install.
  • Hidden native binaries added for Linux, macOS, and Windows.
  • Payloads are embedded in an obfuscated CSI container.
  • Install-time components (dist/setup.js and dist/intro.js) are entirely new in version 8.14.0.
  • These behaviors are absent from the previous release, 8.13.0.

Impact#

The compromised jscrambler package is used to integrate Jscrambler’s JavaScript code-protection tooling into application build pipelines. Developers commonly install it as a development dependency or invoke it through CI systems to process production builds.

Because the malicious code runs through a preinstall hook, simply installing jscrambler@8.14.0 is enough to trigger the bundled platform-specific binary. Users do not need to import the package or run the Jscrambler CLI.

This creates potential exposure across developer workstations, automated build systems, and CI environments. Depending on where the package was installed, the malicious binary may have executed with access to source code, environment variables, build credentials, deployment tokens, and other secrets available to the npm process.

The package receives approximately 15,800 weekly downloads, although the number of users who installed the compromised version is not yet known. Socket detected and flagged version 8.14.0 six minutes after it was published.

Recommendation#

Users should remove jscrambler@8.14.0, rotate any credentials accessible to affected development or CI environments, review installation logs for execution of dist/setup.js, and revert to a verified clean release. Pin to version 8.13.0 or another verified clean release until the maintainers publish a remediation.

Socket has reported the compromised release to the Jscrambler maintainers, and a public tracking issue is available on GitHub: https://github.com/jscrambler/jscrambler/issues/322

Sidebar CTA Background

Secure your dependencies with us

Socket proactively blocks malicious open source packages in your code.
Install

Subscribe to our newsletter

Get notified when we publish new security blog posts!

Related posts

Back to all posts