#1
The Hacker News
general
July 11, 2026 at 17:59 UTC
Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install
By [email protected] (The Hacker News)
AI Summary
The jscrambler npm package version 8.14.0, published July 11, 2026, was found to contain a malicious preinstall hook that silently executes a Rust-based infostealer during installation across Windows, macOS, and Linux — requiring no import or CLI invocation. Socket detected the compromise just six minutes after publication. Supply chain attacks via trusted npm packages pose severe risk to CI/CD pipelines and developer environments.
Relevance score: 82.0/100
Sponsored
Protect Your Business
Expert cybersecurity solutions to safeguard your organization from evolving threats.
Get Protected →