Jscrambler npm Package Backdoored: Inside the IronWorm Infostealer Supply Chain Attack

Hackers backdoored the Jscrambler npm package with a Rust infostealer. Here is how the supply chain attack worked, which versions were hit, and what data it stole.

Govern npm Execution Before Secrets Leave
  • July 16, 2026

Lately, a threat actor pushed a backdoored version of the popular jscrambler package to the npm registry. Consequently, anyone who ran a simple install triggered a cross-platform Rust infostealer before a single line of application code executed.

A Security Vendor Became the Weak Link

Jscrambler sells client-side protection and JavaScript code integrity tooling. Ironically, its own distribution channel became the vector. The jscrambler package receives approximately 15,800 weekly downloads, developers install it as a build dependency or run it inside CI systems.

Because the malicious code fired during the npm preinstall lifecycle hook, victims needed no manual action. Simply installing the package was enough. Moreover, that placement exposed developer workstations, automated build servers, and CI runners all at once.

How the Backdoored Package Actually Worked

The compromised 8.14.0 release added two new files under dist/. First, setup.js acted as a small loader. Second, intro.js posed as JavaScript but was actually a 7.8 MB binary container marked with a custom five-byte header (\x1bCSI\x01).

That container packed three gzip-compressed native executables:

  • A Linux x86-64 ELF binary
  • A Windows x86-64 PE32+ binary
  • An Apple Silicon macOS Mach-O binary

On install, setup.js read the container, selected the binary matching the host OS, and wrote it to a randomly named hidden file in the temp directory. Then it marked the file executable and launched it detached with output hidden. None of these files existed in the clean 8.13.0 release, and no matching commit or tag appeared in the public GitHub repository.

npm Package Supply Chain Compromise

Target Ecosystem
npm Registry
Attack Vector
Preinstall & CLI
C2 Protocol
Tor & Direct IPs
Compromised Package
jscrambler
Target & Scope
  • Targeted popular client-side protection and JS integrity package jscrambler on the npm registry.
  • Compromised releases affected developer workstations, automated build servers, and CI runners globally.
  • Triggered automatically during npm preinstall lifecycle hooks and package CLI imports.
Malware & Tactics
  • Distributed a multi-platform infostealer compiled in Rust for Windows, Linux, and macOS.
  • Concealed native binaries inside a 7.8 MB payload container (intro.js) with a custom 5-byte header.
  • Encrypted configuration strings using ChaCha20-Poly1305 to hinder static analysis.
Evasion & Replication
  • Harvested cloud API keys (AWS/Azure/GCP), crypto wallets (MetaMask), and IDE configs (Claude/Cursor).
  • Deployed IronWorm self-replicator to compromise downstream packages via raw HTTP PUT.
  • Established C2 via built-in Tor client beacons, uploading exfiltrated secrets to public file hosts.
Indicators of Compromise (IoC)
Category Indicators
Domains server.exodus.io, registry.npmjs.org
IPs 37.27.122.124, 57.128.246.79
Malware IronWorm (Rust Infostealer)
Packages jscrambler (8.14.0, 8.16.0, 8.17.0, 8.18.0, 8.20.0)
TTPs preinstall hooks, eBPF injection, anti-debugging, ChaCha20-Poly1305, Tor C2, HTTP PUT publishing

The Rust Infostealer Hunted Developer Secrets

This payload is an infostealer built in Rust designed to steal valuable credentials from affected hosts. Particularly, it encrypts all configuration strings using ChaCha20-Poly1305 algorithm, which makes the code difficult to reverse engineer.

After decryption, it was found that the targeted items included:

  • Cloud credentials for AWS, Azure, and Google Cloud, including metadata endpoints
  • Wallets from browser extensions such as MetaMask, Trust Wallet, Coinbase Wallet, Phantom, and Exodus wallets (server.exodus.io), stealing HD Key Tree, mnemonic, and seedPhrase keys
  • AI coding software and MCP configurations for Claude, Cursor, Windsurf, VS Code, and Zed
  • Cookies and passwords from Chromium and Firefox browsers
  • Sessions of messaging applications Slack, Discord, and Telegram
  • Credentials stored by password managers, including Steam sessions and OS keychains

Also, the Linux version of the malware can inject an eBPF program into the kernel, and Windows and macOS versions add anti-debugging functionality and reboot persistence using scheduled tasks/LaunchAgents.

The Attack Escalated Fast and Changed Tactics

The threat actor did not stop at one release, they published four more malicious releases of jscrambler over roughly three hours, bringing the total to five: 8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.0. Meanwhile, clean interim releases were pushed as apparent remediation attempts.

Crucially, the delivery method shifted partway through. The first three versions ran the dropper from a preinstall hook. However, versions 8.18.0 and 8.20.0 moved the identical dropper into the package’s main code and CLI. As a result, the malware fired on import and survived npm install even with the ignore-scripts flag.

IronWorm: A Self-Replicating Threat Returns

The threat was identified as IronWorm, an evolved variant has surfaced in compromised versions of the popular jscrambler npm package, tied to the Shai-Hulud lineage. This variant does more than steal. Indeed, it is built to spread itself automatically.

The worm hunts npm tokens in environment variables and .npmrc files. Afterward, it validates them against the registry, picks high-download packages, injects a malicious setup.mjs preinstall script, and publishes infected tarballs. Remarkably, it uploads them straight to registry.npmjs.org through a raw HTTP PUT, never touching the npm client.

The malware also runs its own Tor client for command and control, beaconing to two hard-coded IPs, 37.27.122.124 and 57.128.246.79. For bulk theft, though, it uploads stolen data to a public file host over a direct, unproxied connection, which leaks the victim’s real IP address.

Incident Flow & Technical Breakdown

The breach happened very rapidly because the malicious version was detected just six minutes after being released. Instantly, automated maintainer notifications were activated to enable immediate deprecation of any compromised versions, as well as credential rotation, as a fresh 8.22 version was immediately rolled out. The rogue version originated from npm publishing credentials that had been breached.

This timing coincided with a switch within the ecosystem. Specifically, on July 8th, npm 12 stopped enabling dependency install scripts by default. In modern client environments, where the attack uses preinstall hooks, users have to give explicit permission for these to work. This poses risks for legacy environments where old versions of npm remain in use.

Conclusion: When npm Install Becomes Credential Theft

The Jscrambler compromise shows why software supply chain attacks are so dangerous. Developers did not need to open a malicious attachment or run a suspicious installer. A trusted package executed the attack automatically during installation, selected the correct native payload for the host operating system, and launched an infostealer before application code even began to run.

The package was trusted.
The execution should not have been.

Why This Threat Matters

IronWorm targeted the systems and secrets that modern software delivery depends on.

  • Developer workstations, build servers, and CI runners were exposed at once
  • Native payloads supported Windows, Linux, and macOS
  • Cloud credentials for AWS, Azure, and Google Cloud were targeted
  • Browser passwords, cookies, messaging sessions, and crypto wallets were harvested
  • AI coding tools and MCP configurations were searched for sensitive data
  • Stolen npm tokens allowed the malware to infect downstream packages automatically
  • Later releases moved execution beyond preinstall hooks, reducing the value of ignore-scripts

This was not only an infostealer campaign. It was a self-replicating attack against developer trust.

Where Xcitium Changes the Outcome

For organizations using Xcitium Advanced EDR, powered by Xcitium’s patented Zero-Dwell platform, trusted package installation does not grant unknown native code unrestricted rights.

This is Execution Governance.

Unknown binaries extracted from the package are governed when they execute.
Code can run without being able to cause damage.
Secret harvesting, persistence, kernel-level activity, Tor communication, and downstream package manipulation cannot freely impact the real environment.

Xcitium ITDR strengthens the next layer when stolen cloud credentials, npm tokens, browser sessions, or privileged identities are reused against enterprise services.

With Xcitium in place, the attack chain fails at execution because the infostealer never receives the freedom it needs to turn package trust into credential theft.

Trust the Package. Govern the Execution.

The Jscrambler incident proves that reputation, download volume, signed tooling, and public source repositories are not sufficient proof of safety. A trusted package can change between releases. A clean repository can differ from the artifact published to the registry. A routine install can become the first stage of a global compromise.

Verify package integrity.
Rotate exposed credentials.
Audit build systems and developer endpoints.
Govern unknown execution before trust becomes impact.

Like what you see? Share with a friend.

Move Away From Detection With Patented Threat Prevention Built For Today's Challenges.

No one can stop zero-day malware from entering your network, but Xcitium can prevent if from causing any damage. Zero infection. Zero damage.

Book a Demo