jscrambler 8.14.0 npm package ships with preinstall Rust infostealer
Source headline: Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install
Intelligence Summary
The jscrambler npm package version 8.14.0 contains a malicious preinstall hook. During installation, it silently drops a native Rust infostealer compiled for Windows, macOS, and Linux. The malicious activity runs automatically once the package is installed, without any additional imports or CLI usage. This compromises developer and CI environments that install the affected version from npm. Users should avoid 8.14.0, upgrade to a clean fixed release, and review build logs and suspicious binaries.
Recommended Action
Prioritize immediate review, validate exposure, and patch or mitigate affected systems.