www.stepsecurity.io 7/11/2026, 4:51:24 PM · external

Malicious jscrambler npm update steals credentials, crypto data

Malicious jscrambler npm update steals credentials, crypto data
CyberSIXT Evidence Panel Source marked as original reporting

ON July 11, 2026, version 8.14.0 of the `jscrambler` npm package was released, containing a malicious preinstall hook that deploys a platform-specific native binary on Linux, Windows, and macOS. This version, used for JavaScript obfuscation and web-app protection, had its clean version history compromised and was flagged with a maximum suspicion score of 0 by StepSecurity's AI Release Analyzer.

The malicious payload, disguised as JavaScript, is a Rust-compiled binary capable of stealing credentials and crypto wallet data, utilizing built-in SQLite and LevelDB engines. Users should downgrade to version 8.13.0 if installed, rotate credentials, and audit browser extensions for unauthorized activities.

View full article

Article by CyberSIXT