Version 8.14.0 of the jscrambler npm package shipped
with a malicious preinstall hook that silently drops and
runs a native infostealer during installation, one build each for
Windows, macOS, and Linux. Published on July 11, 2026, it needs no
import and no CLI call. Installing 8.14.0 is enough to run it.
Socket flagged the release six minutes after it was
Read more https://thehackernews.com/2026/07/compromised-jscrambler-8140-npm-release.html

