logo

Jscrambler npm Supply Chain Attack Steals Cloud Credentials and Crypto Wallet Secrets

ID: fdb4f6b3-b4f7-5c3b-9e2b-71a01dd91503

STIX ID: report--fdb4f6b3-b4f7-5c3b-9e2b-71a01dd91503

Feed Name: GBHackers

Threat Score
90/100

Date Published: 2026-07-13

Date Updated: 2026-07-13

Author: Divya

...
...

**Executive summary:** The Jscrambler npm package was compromised and multiple trojanized releases (including 8.16.0, 8.17.0, 8.18.0, 8.20.0 and a maliciously published 8.15.2) contained a hidden cross-platform credential-stealing payload that executed via a malicious preinstall hook or a self-executing dropper, targeting developer machines, CI/CD pipelines, cloud credentials (AWS, GCP, Azure), browser wallets, developer tool configuration, and other sensitive artifacts; the report provides IOCs (file names, SHA-256 hashes), details on delivery and exfiltration, and remediation guidance to remove affected versions, rotate secrets, and upgrade to 8.22.0.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.