Multiple Jscrambler Packages Impacted by Supply Chain Attack

https://www.securityweek.com/wp-content/uploads/2026/06/supply-chain-threat.webp

Several malicious versions of Jscrambler’s NPM package were published over the weekend as part of a supply chain attack involving compromised credentials.

The popular NPM package is used within the Jscrambler Code Integrity product, a JavaScript protection solution that turns web and mobile applications self-defensive and tamper-resistant.

The attack started on July 11, when a threat actor used the NPM publishing credentials to push a modified version of the package, containing a preinstall hook to drop binaries during the installation process.

While Jscrambler was responding to the incident, the threat actor published additional malicious iterations of the package, namely 8.16, 8.17, 8.18, and 8.20. The first clean version of the package is 8.22.

As the NPM library is a dependency for other packages, the incident also affected Jscrambler-webpack-plugin version 8.6.2, gulp-Jscrambler version 8.6.2, grunt-Jscrambler version 8.5.2, and Jscrambler-metro-plugin version 9.0.2.

According to Jscrambler, NPM data shows that the malicious package...

Copyright of this story solely belongs to securityweek.com. To see the full text click HERE