Jscrambler npm Package Spreads Rust Infostealer

A critical software supply chain attack has impacted the widely used jscrambler npm package, with malicious versions 8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.0 discovered delivering a Rust-based infostealer. The compromise, traced back to a hijacked npm publishing credential, directly targets developer machines and CI/CD environments. Upon installation, the malware automatically executes, searching for and exfiltrating high-value credentials, including cloud API keys for AWS, Azure, and Google Cloud, cryptocurrency wallet seed phrases from MetaMask, Phantom, and Exodus, and API keys for AI coding tools like Claude Desktop and VS Code.

The incident shows the pervasive risk within the software supply chain because a single compromised account can lead to widespread credential theft. The malicious code, embedded in the official package releases on July 11, 2026, was designed for cross-platform execution on Windows, macOS, and Linux systems. Rapid detection by security researchers from Socket, StepSecurity, and SafeDep identified the rogue releases shortly after publication.

The attack used npm's install script functionality, though later versions moved the dropper into the package's core logic to bypass --ignore-scripts. This strategy ensured the infostealer would activate regardless of user security settings, immediately compromising any system pulling the affected versions. The compromised jscrambler package, typically a build-time dependency with approximately 15,800 weekly downloads, provided attackers direct access to sensitive development and operational environments.

How Was the Jscrambler NPM Package Compromised and Exploited?

The jscrambler npm package was compromised through a hijacked npm publishing credential belonging to a legitimate maintainer, allowing an attacker to push malicious versions without authorization. On July 11, 2026, the first rogue release, jscrambler@8.14.0, appeared on npm, containing a preinstall hook designed to execute an infostealer. Subsequent malicious versions, 8.16.0, 8.17.0, 8.18.0, and 8.20.0, were also published, with the dropper mechanism changed to improve stealth and execution.

For versions 8.14.0, 8.16.0, and 8.17.0, the malware operated via a preinstall hook, automatically triggering a payload execution during the installation process. In later malicious versions, specifically 8.18.0 and 8.20.0, the dropper logic was integrated directly into the package's main code and CLI. This alteration meant the malware would activate when the package was imported or executed, circumventing npm install --ignore-scripts directives.

The payload, a Rust infostealer, was compiled for all three major operating systems: Windows, macOS, and Linux. This native binary, concealed within an approximately 7.8MB intro.js container (despite its .js extension, it was not JavaScript), was deployed to the system's temporary directory under a random filename, marked executable, and launched in a detached, hidden process. The attacker's control over the npm credential enabled them to bypass typical project release flows and inject malicious code directly into the distribution channel. Supply chain attacks, which weaponize legitimate software components, threaten development pipelines and user security. For more context on similar threats, see our analysis of Polinrider supply chain malware.

What Data Did the Rust Infostealer Target?

The Rust infostealer specifically targeted a range of sensitive data valuable to developers and system administrators, including cloud and cryptocurrency credentials, as well as session tokens. Focusing on development environments allowed it to access high-privilege information that typically resides on build machines or CI runners.

The data categories sought by the infostealer include:

  • Cloud Credentials:
  • AWS keys and configuration files.
  • Azure cloud credentials.
  • Google Cloud Platform (GCP) credentials, including metadata endpoints used by CI runners.
  • Cryptocurrency Wallets:
  • Seed phrases and wallet data from MetaMask, Phantom, and Exodus.
  • Password Managers:
  • Vault data from the Bitwarden password manager.
  • Browser Data:
  • Stored passwords and session cookies from web browsers.
  • Communication & Gaming Sessions:
  • Active sessions for Discord, Slack, Telegram, and Steam.
  • AI Coding Tools:
  • Configuration files and API keys for AI development tools such as Claude Desktop, Cursor, Windsurf, VS Code, and Zed. These often contain API keys and Model Context Protocol (MCP) server credentials.

Beyond data exfiltration, the malware used persistence mechanisms tailored to each operating system. On Windows, it established a hidden scheduled task set to re-launch every minute, ensuring its survival across reboots. macOS systems saw the creation of a LaunchAgent that reloaded the infostealer upon user login. The Linux variant also demonstrated advanced capabilities by linking the kernel's BPF library, allowing it to load an eBPF program directly into the kernel from memory to gain a deep foothold beyond userspace.

How Was the Attack Detected and Mitigated?

The attack was rapidly flagged by cybersecurity firm Socket just six minutes after the initial malicious version, jscrambler@8.14.0, was published on npm. This swift detection was crucial in identifying the compromise before it could spread more widely. Subsequent analyses by StepSecurity and SafeDep confirmed the malicious nature of the package and provided details into its functionality.

These investigations revealed that the added malicious files were not present in jscrambler's public source repository on GitHub, indicating that the compromise occurred at the publishing stage via a stolen npm credential rather than through a direct code injection into the project's source. Jscrambler publicly confirmed the compromise of an npm publishing credential and took immediate remediation steps.

Jscrambler deprecated the malicious releases and published a clean version, 8.22.0, which is now recommended for users. However, the deprecated versions remain installable by exact version pinning, posing an ongoing risk for projects with outdated lockfiles or manual installations. The company also revoked and rotated its publishing credentials and hardened its publishing pipeline to prevent future incidents. The npm 12 client, released just three days prior to this incident, defaults to disabling install scripts, which would have prevented automatic execution for users running newer npm versions. However, older clients still execute these scripts automatically, leaving many users vulnerable.

Organizations that installed any affected version of jscrambler should immediately upgrade to version 8.22.0 or pin to 8.13.0, clearing all related lockfiles and caches. A complete audit of any workstation or CI runner that pulled a malicious version is advised, with particular attention to rotating all potentially compromised credentials. These incidents show the challenges in securing software ecosystems, including those using Rust. Previous research on vulnerabilities like the Rust Async Tar RCE has also demonstrated these challenges.

Indicators of Compromise

Organizations that use the jscrambler package should immediately verify their environment for any signs of compromise. The following indicators can assist in detection:

  • Malicious Package Versions:
  • jscrambler@8.14.0
  • jscrambler@8.16.0
  • jscrambler@8.17.0
  • jscrambler@8.18.0
  • jscrambler@8.20.0
  • File Hashes (SHA-256):
  • dist/setup.js: a742de963f14a92d24ebcbc7b44ac867e23a20d31d1b0094a13a4f83287f4e60
  • dist/intro.js: a41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86
  • Linux payload: fbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bd
  • Windows payload: b7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903
  • macOS payload: c8fd47d36bdf7c825378593ab82ed8c24d1dc52e26b507812393e24e1d5201fd
  • Command-and-Control (C2) IPs:
  • 37.27.122[.]124
  • 57.128.246[.]79
  • The binaries also communicate with Tor infrastructure (e.g., check.torproject[.]org, archive.torproject[.]org).
  • On-Host Artifacts:
  • Randomly named hidden files in system temporary directories (e.g., .random or .random.exe on Windows).
  • Hidden Windows scheduled tasks for persistence.
  • macOS LaunchAgents (unfamiliar .plist files in ~/Library/LaunchAgents) for persistence.

Which Threat Actors Targeted Pakistani Law Enforcement Agencies?

A sustained cyber espionage campaign, active between February 2024 and April 2026, targeted several Pakistani law enforcement organizations, involving suspected China- and India-aligned threat actors. The primary targets included the Balochistan Police, along with the Khyber Pakhtunkhwa Police, Islamabad Police, and the Punjab Safe Cities Authority (PSCA). This multi-group activity aimed to extract sensitive governmental and citizen data, indicating a high-value intelligence gathering objective.

SentinelOne SentinelLABS reported the compromise of critical assets at Balochistan Police, including network appliances and web servers that managed police and citizen data such as criminal records, biometric information, and hotel/tenant registrations linked to national identity records. A Fortinet FortiMail appliance, serving as the agency's primary inbound email gateway, was also among the compromised infrastructure. This convergence of multiple nation-state actors on a single target shows the strategic importance of the intelligence held by these law enforcement institutions.

The campaign used multiple distinct malware families and attack clusters. SentinelOne identified four primary clusters: one associated with India-nexus threat actors and three linked to China-nexus groups. These included commodity and custom tooling, which showed the diverse capabilities used against the targets.

What Malware Families Were Deployed in the Campaign?

The cyber espionage campaign against Pakistani law enforcement used a range of malware families, each attributed to different threat clusters. The deployment of these tools reflects the varied tactics and objectives of the involved China- and India-aligned adversaries.

The identified malware families include:

  • PlugX: Traditionally associated with Chinese nation-state hacking groups, this remote access Trojan (RAT) was observed in operations between February 27 and September 28, 2024. Victims included government, foreign affairs, defense, non-governmental, and research entities across South, Southeast, Central, and East Asia, the Arabian Peninsula, and Southeast Europe.
  • ShadowPad: Considered a successor to PlugX, this modular backdoor is also a hallmark of Chinese state-sponsored actors. Instances of ShadowPad activity were noted between August 3 and December 1, 2024, showing a similar victimology profile to PlugX.
  • Cobalt Strike: This commercial penetration testing tool, frequently weaponized by various threat actors, including China-nexus groups, was used in attacks linked to the IP address 142.171.183[.]8. Traffic to this C2 server showed connections from government, academic, telecommunications, and non-governmental entities across South, East, and Southeast Asia, the Middle East, and South America, consistent with Chinese intelligence collection priorities. Tibetan Buddhist organizations in Taiwan, historically targeted by China for cyber espionage, were also among the victims.
  • Remcos RAT: This commercial RAT was linked to an India-nexus threat actor, sharing infrastructure and tactical overlaps with a group known as Mysterious Elephant (also tracked as APT-C-08, APT-K-47, and TAG-179). Mysterious Elephant itself has known commonalities with other India-nexus adversaries such as SideWinder, Confucius, and Bitter. Attack chains involving Remcos RAT used lures disguised as official Pakistani law enforcement documents, such as an operational plan for the repatriation of illegal foreigners, including Afghan Citizen Card (ACC) holders.

The use of both custom and commodity malware allowed the threat actors to maintain persistent access and collect a wide range of sensitive information over an extended period. The diverse toolset further complicates attribution and defense efforts for targeted organizations.

How Was the Complaint Management System Weaponized?

A significant aspect of the espionage campaign against Balochistan Police involved the compromise and weaponization of their Complaint Management System (CMS). This web application, cms.balochistanpolice.gov[.]pk, is used by both police staff and citizens for registering, tracking, and resolving complaints. By infiltrating this system, the threat actors expanded their reach beyond the initially compromised internal network.

Two distinct variants of an implant named cms_plugin.exe were uploaded to the CMS website:

  • Rust Stager: This variant was designed to download an additional payload from 193.42.25[.]65 and execute it. Upon execution, it displayed a message stating "Update Complete! Please refresh the page," mimicking a legitimate CMS portal update to avoid suspicion. The precise nature of the secondary payload remains under investigation, but its staging capability suggests further, more specialized malware deployment.
  • .NET Executable (AsyncRAT Client): The second variant masqueraded as 360Safe.exe, a legitimate binary used by Qihoo 360 Total Security. This executable was configured to reflectively load an assembly that implemented an AsyncRAT client, giving the attackers remote access and control over compromised systems.

The exploitation of the CMS web application demonstrates a deliberate tactic to use public-facing infrastructure as a malware delivery mechanism. By hosting implants on a portal used by both citizens and law enforcement personnel, the threat actors turned a tool intended for public service into a vector for malware dissemination. This method allowed the adversaries to target a broader user base and potentially gain access to systems beyond the direct Balochistan Police network. The compromise of such a system provides a pathway for sustained espionage against many individuals and entities.

Technical Takeaways

  • The jscrambler npm package supply chain attack involved the compromise of a legitimate npm publishing credential, leading to the distribution of a multi-platform Rust infostealer through official releases 8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.0.
  • The Rust infostealer targeted a full range of developer-centric credentials, including AWS, Azure, Google Cloud keys, cryptocurrency wallet seed phrases (MetaMask, Phantom, Exodus), Bitwarden vaults, browser data, and AI coding tool API keys.
  • Persistence mechanisms were custom-built for each operating system: hidden Windows scheduled tasks, macOS LaunchAgents, and for Linux, the capability to load eBPF programs directly into the kernel.
  • Multiple nation-state-aligned threat actors, specifically from China and India, conducted a long-running cyber espionage campaign (February 2024 - April 2026) against Pakistani law enforcement agencies, including Balochistan Police.
  • The Pakistani campaign used diverse malware families, including PlugX, ShadowPad, Cobalt Strike (China-nexus), and Remcos RAT (India-nexus, linked to Mysterious Elephant), compromising systems such as Fortinet FortiMail appliances and the Complaint Management System for data exfiltration and malware delivery.