Security firm Jscrambler disclosed that attackers published a malicious version of its npm package, which was downloaded nearly 1,500 times before detection. The compromised package contained infostealer malware targeting developer systems.
Jscrambler, a client-side web security company, confirmed that threat actors successfully backdoored its npm package with malicious code. The compromised version remained available on the npm registry long enough to be downloaded approximately 1,500 times.
The malicious package contained infostealer malware designed to harvest sensitive information from affected systems. Developers who installed the backdoored version during the window of compromise may have had credentials, environment variables, and other system data exposed.
The attack represents a continuing threat to the npm ecosystem, where supply chain compromises remain a significant vulnerability. Attackers typically target popular or widely-trusted packages to maximize the number of affected systems and increase their chances of accessing valuable data or credentials.
Jscrambler has not disclosed specific details about how the attacker gained access to publish the malicious version, though compromised credentials or account takeover are typical vectors for such attacks. The company has since removed the malicious package from npm and released information to help developers identify if they were affected.
Developers using Jscrambler should verify which version of the package they have installed and review their system security for signs of compromise. The incident underscores the importance of monitoring package dependencies and enabling two-factor authentication on npm accounts.
This incident follows a pattern of supply chain attacks targeting the JavaScript ecosystem. Previous compromises have affected popular packages including colors.js, event-stream, and others, highlighting the need for stronger security measures around package publication and distribution.
Npm has implemented several security features in recent years, including mandatory two-factor authentication for high-impact packages, but attacks continue to succeed against less-protected projects.
U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.
Tailscale disclosed a critical vulnerability in its SSH implementation that allowed attackers to gain root access through insecure argument handling. The flaw has been patched in recent versions.
A new study found that social media platforms referred over 5.7 million visits to nonconsensual deepfake pornography sites between December 2025 and March 2026, with YouTube and X accounting for the majority of traffic.