SafeDep
Install GitHub App

Summary

Note: This report is updated by a verification record

SUPPLY-CHAIN COMPROMISE of the official jscrambler npm client (60K dl/mo; publisher jscrambler_/info@jscrambler.com = legit org, account/CI compromise). 8.14.0 added a NEW preinstall node dist/setup.js + NEW 7.5MB dist/intro.js (entropy 8.00, custom packed multi-platform binary container, magic 1b435349 01) — both absent in 8.13.0. Main-loop read of setup.js (43 lines): gunzips the platform-matched payload from intro.js, writes to os.tmpdir()/.{random} with 0o755 exec bit (.exe via String.fromCharCode on Win), spawn detached+unref+windowsHide, errors swallowed = silent install-time native-binary dropper. Convict on mechanism. Version-scoped (8.13.0 clean). Urgent takedown.

Verification Record

The package is marked as malware by OSV: MAL-2026-10187 with source: amazon-inspector

Details

Note: This report is updated by a verification record

jscrambler@8.14.0Malicious
Verified
Analysed at: 7/11/26, 3:59 PM
Source: -
SHA256:
Confidence: High