Date: 07/13/2026
Severity: High
Summary
A supply-chain attack compromised the Jscrambler npm package, introducing trojanized versions that executed a hidden cross-platform credential-stealing payload on Windows, Linux, and macOS. The malware targeted cloud credentials (AWS, Azure, GCP), developer secrets, CI/CD environments, cryptocurrency wallets, browser data, and AI/MCP configuration files. Attackers used malicious install hooks and later self-executing droppers to trigger execution, including techniques that could bypass npm install --ignore-scripts. Organizations are advised to remove affected versions and rotate potentially exposed credentials and secrets.
Indicators of Compromise (IOC) List
Hash | a742de963f14a92d24ebcbc7b44ac867e23a20d31d1b0094a13a4f83287f4e60
a41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86
fbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bd
b7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903
c8fd47d36bdf7c825378593ab82ed8c24d1dc52e26b507812393e24e1d5201fd
|
Packages | jscrambler@8.14.0, 8.16.0, 8.17.0, 8.18.0, 8.20.0 |
Clean release | jscrambler@8.22.0 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | sha256hash IN ("c8fd47d36bdf7c825378593ab82ed8c24d1dc52e26b507812393e24e1d5201fd","fbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bd","a41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86","b7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903","a742de963f14a92d24ebcbc7b44ac867e23a20d31d1b0094a13a4f83287f4e60")
|
Reference:
https://gbhackers.com/jscrambler-npm-supply-chain-attack-steals-cloud-credentials/