Poisoned npm Package Used Preinstall Hook to Drop Malware Across All Major OS Platforms
On July 11, 2026, attackers pushed five malicious versions of the legitimate jscrambler npm package over roughly three hours, exploiting a preinstall hook to silently execute malware the moment developers ran npm install. The payload, a Rust-written infostealer, targeted browser credentials, cryptocurrency wallets, and Bitwarden vaults, then established persistence and transmitted stolen data to a remote server. No user interaction was required — the malicious code ran automatically before the package was even fully installed on disk. The attack covered Linux, Windows, and macOS by bundling three platform-specific binaries inside a single disguised JavaScript file. Security scanner Socket detected the threat approximately six minutes after publication, but most developers and CI pipelines do not use such tooling, leaving many potentially exposed.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in