When one of my agents runs npm install, I am not watching the terminal. That is the whole point: the agent takes a ticket, resolves the dependencies, runs the build, and reports back. Nobody is reading the scroll of install output line by line. On July 11 2026, that gap stopped being a convenience and started being an attack surface.
That day, someone pushed a poisoned version of the jscrambler npm package. Anyone who ran npm install against it got a Rust infostealer dropped on their machine before the package even finished installing. No click. No prompt. No mistake on the victim's part. The payload went for browser credentials, crypto wallets, and Bitwarden vaults, then set up persistence and phoned home. A scanner called Socket flagged it about six minutes after publication. Most developers do not run Socket. Most CI pipelines do not either. And no AI coding agent I know of reads install output for a credential stealer before it executes.
I run more than a dozen side projects on a Kanban board called KittyClaw, and several of them are Node projects whose installs I delegate to agents. jscrambler is not in any of my dependency trees. But playwright-core is, and the mechanism that made jscrambler dangerous does not care which package it rides in on. This one is worth pulling apart.









