Booby-trapped jscrambler npm release runs infostealer the moment you install it
Version 8.14.0 of a popular JavaScript protection package shipped with a hidden payload that fires during install, no code changes required from the developer.

Key points
- Version 8.14.0 of the jscrambler npm package, published on July 11, 2026, carried a malicious install script that quietly runs an infostealer on the developer's machine.
- The tampered release includes separate infostealer builds for Windows, macOS, and Linux, so nearly any developer machine that installed it is at risk.
- Security firm Socket flagged the release six minutes after it went live, but installs during that window still executed the payload.
- Developers need no
importstatement and no command line call for the attack to run: simply installing the package is enough.
Someone slipped a booby trap into a widely used developer tool, and the trap goes off the second you install it.
The package is called jscrambler, and it lives on npm, the giant public library where JavaScript developers download building blocks for their apps. On July 11, 2026, version 8.14.0 was published. That version was not clean.
It shipped with what is known as a preinstall hook. That is a small script the package is allowed to run automatically as it installs itself, before the developer has touched a single line of it. The hook in 8.14.0 quietly dropped and ran an infostealer, meaning a program built to hunt through the computer for passwords, tokens, browser data, and anything else worth grabbing, and send it back to the attacker.
The attackers were thorough. They packed in three versions of the infostealer, one for Windows, one for macOS, and one for Linux. Whichever operating system the developer was using, there was a build ready to run.
The unusual part is how little the victim has to do.
With a lot of malicious npm packages, you at least have to import the code, meaning pull it into your own program, before anything bad happens. Not here. As The Hacker News noted in its writeup, no import and no command line call is needed. Installing 8.14.0 is enough.
How did a trusted package end up shipping malware?
The short answer is that someone with permission to publish new versions of jscrambler pushed a poisoned one. That usually means either the maintainer's npm account was taken over, most often through stolen credentials or a phishing email, or a build system with publish rights was broken into. The public details so far do not confirm which.
Either way, the effect is the same. Anyone who ran npm install jscrambler@8.14.0 during the window it was live got the payload.
Security firm Socket, which scans new npm releases automatically, flagged the release six minutes after it was published. That is fast. It is also not fast enough to protect the developers whose build servers or laptops pulled the package in those first few minutes.
Think of it like a software version of a supply chain attack on a supermarket. The shelf label is the same. The box looks the same. Someone swapped what is inside.
What should developers and companies do now?
If you or your team installed jscrambler 8.14.0, treat the machine that ran the install as suspect. Rotate any credentials that lived on it: cloud keys, GitHub tokens, npm tokens, browser-saved passwords. Pull the machine off shared networks until it has been cleaned.
Downgrade to the last known good version of jscrambler and pin it, meaning tell your project to refuse to auto-update past that version until the maintainers confirm the account is back under control.
For everyone else, this is another reminder that npm install is not a passive act. It runs code. That code can be new. And on a bad day, that code can be someone else's.



