The Jscrambler client-side web security company disclosed that a threat actor published a malicious version of its npm package that has been downloaded almost 1,500 times.

Malicious jscrambler 8.14.0 runs hidden binaries during npm install on Windows, macOS, and Linux, with no fix available as of July 11, 2026.

On July 11 2026, npm install jscrambler ran a Rust infostealer before the package finished installing. The attack anatomy and what to audit in your pipeline.