A malicious version of the Jscrambler npm package, jscrambler@8.14.0, was published at 15:12 UTC on 11 July 2026. The compromised release executed a dropper via an npm preinstall hook that detected the host operating system and extracted a platform-specific native binary for Windows, Linux, or macOS from a gzip-compressed CSI container. Subsequent malicious releases (8.18.0 and 8.20.0) removed the install hook entirely and instead executed the same payload when the package was imported or its CLI was invoked, allowing the malware to evade defenses that only inspect npm lifecycle scripts.
The native payload appears to function as a cross-platform infostealer targeting developer workstations and CI/CD environments. Public analysis indicates it attempts to collect browser credentials and cookies, cloud credentials (including AWS, Azure, and GCP), cryptocurrency wallet data, AI development tool and MCP configurations, Steam data, and other sensitive information before compressing and encrypting the collected data for exfiltration. StepSecurity observed network traffic to Tor Project infrastructure during analysis, suggesting the malware may leverage the Tor network during its operation, although Wiz has been unable to independently confirm the exfiltration mechanism.