registry  /  jscrambler  /  8.17.0

jscrambler@8.17.0

this package version was compromised

Jscrambler Code Integrity API client.

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10187 confirms this npm version as malicious. Supply-chain compromise of the official jscrambler npm client, a legitimate JavaScript obfuscation tool with roughly 60K downloads per month. Version 8.14.0 was published from the legitimate publisher account (jscrambler_ / info@jscrambler.com), which points to an account or CI compromise rather than a typosquat. Compared to the clean 8.13.0, version 8.14.0 adds a new preinstall hook (node dist/setup.js) and a new...

Advisory
MAL-2026-10187
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in jscrambler (npm)
Details
Supply-chain compromise of the official jscrambler npm client, a legitimate JavaScript obfuscation tool with roughly 60K downloads per month. Version 8.14.0 was published from the legitimate publisher account (jscrambler_ / info@jscrambler.com), which points to an account or CI compromise rather than a typosquat. Compared to the clean 8.13.0, version 8.14.0 adds a new preinstall hook (node dist/setup.js) and a new 7.5MB dist/intro.js file (entropy 8.00) that is a custom-packed, multi-platform binary container (magic bytes 1b435349 01); both are absent in 8.13.0. At install time, setup.js gunzips the platform-matched payload from intro.js, writes it to a randomly named file under the OS temp directory with the executable bit set (0o755, or a .exe extension on Windows built via String.fromCharCode), then spawns it detached with unref and windowsHide while swallowing all errors. The result is a silent, install-time native-binary dropper. Multiple releases are compromised (8.14.0, 8.16.0, 8.17.0, 8.18.0, 8.20.0); the mechanism above was analyzed on 8.14.0. Version 8.13.0 is clean. --- ## Source: amazon-inspector (afb577cf150e98ebfe551df006c555204f327432baa3789473981888761a8677) The package's main entry (dist/index.js) contains a top-level IIFE that runs on every require('jscrambler'). It reads a bundled 7.8 MB sibling file dist/intro.js, validates a custom container header (0x1b 0x43 0x53 0x49 0x01), selects a platform-specific gzip section (linux/win32/darwin), writes the decompressed bytes to os.tmpdir() under a hidden random dot-file name with mode 0755, and spawns the binary detached with stdio ignored and windowsHide, then unrefs the child. Errors are swallowed. The bundled payload dist/intro.js is not JavaScript: it uses a custom multi-platform container and contains strings characteristic of a cryptocurrency-wallet seed-phrase harvester and a browser-session stealer, including the BIP-39 English wordlist marker (bip39_english) and Chromium/BoringSSL TLS internals (ResumptionAttemptedWithVariedEms). Neither README nor CHANGELOG documents any native runtime component, and the CHANGELOG has no entries past 8.13.0. The wrapper's shape (custom magic header, hidden tmp filename, detached spawn, error-swallowed try/catch, undocumented payload) is inconsistent with the package's advertised CLI/API-client purpose and matches a malicious release / account-takeover pattern targeting installer wallets and browser sessions.
Decision reason
OpenSSF Malicious Packages via OSV confirms jscrambler@8.17.0 as malicious (MAL-2026-10187): Malicious code in jscrambler (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory