CyberSecurity News
Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install
AI summary
A malicious version of the jscrambler npm package, version 8.14.0, was released with a preinstall hook that installs a native infostealer on Windows, macOS, and Linux systems. The infostealer is dropped and run silently during installation, without requiring any import or command-line interface call. Simply installing version 8.14.0 is enough to trigger the malicious activity. The compromised package was published on July 11, 2026. The issue was quickly flagged by Socket, just six minutes after the release was published. The malicious package affects all three major operating systems, putting users at risk of data theft.
This is an AI-generated brief aggregated by HackerFeeds for convenience and grounded in the source’s own summary; the related CVE, threat-group and country data is from HackerFeeds’ own indexes. The original article is the authoritative source — all rights belong to The Hacker News.

