ON July 11, 2026, version 8.14.0 of the `jscrambler` npm package was released, containing a malicious preinstall hook that deploys a platform-specific native binary on Linux, Windows, and macOS. This version, used for JavaScript obfuscation and web-app protection, had its clean version history compromised and was flagged with a maximum suspicion score of 0 by StepSecurity's AI Release Analyzer.
The malicious payload, disguised as JavaScript, is a Rust-compiled binary capable of stealing credentials and crypto wallet data, utilizing built-in SQLite and LevelDB engines. Users should downgrade to version 8.13.0 if installed, rotate credentials, and audit browser extensions for unauthorized activities.