Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install
The npm package jscrambler, a JavaScript obfuscation tool, had its version 8.14.0 release compromised. According to The Hacker News, the malicious release drops a Rust-based infostealer during the installation process. The infostealer is designed to exfiltrate sensitive information from the compromised system. The attack vector involves the package's install script executing the malicious payload. Users who installed jscrambler 8.14.0 are affected. The source does not specify the exact data targeted, the distribution mechanism beyond npm, or any remediation steps. The incident highlights the ongoing risk of supply chain attacks via package registries.
Compromised npm packages can lead to credential theft and data breaches in developer environments.