« All posts

Malicious Jscrambler NPM Package Versions Deploy Infostealer

A supply chain attack on the jscrambler npm package highlights risks to developer credentials.

On July 11, 2026, a sophisticated supply chain attack was identified involving the jscrambler npm package. Multiple malicious versions were published using a compromised maintainer's credentials, containing a Rust-based infostealer designed to harvest sensitive developer information. This incident underscores the risks associated with dependency confusion and credential compromise in software development.