The Jscrambler client-side web security company disclosed that a threat actor published a malicious version of its npm package that has been downloaded almost 1,500 times.
The malicious Jscrambler package spanned releases 8.14, 8.16, 8.17, and 8.20 and included information-stealing malware that executed during the ‘preinstall’ hook.
“Today, we identified the unauthorized publication of a malicious version of our jscrambler npm package, which is used with our Code Integrity product,” Jscrambler says in a warning on Saturday.
“This incident was limited to that package and did not affect any other Jscrambler products, including Webpage Integrity,” the company said.
Although Jscrambler reacted quickly, the malicious package lasted for two hours before the developer deprecated it and released the safe version 8.22.
The affected package was a dependency for four other Jscrambler packages, which the vendor has also deprecated and replaced with new versions.
Statistical data from Node Package Manager (npm) shows that the malicious package was downloaded 1,479 times during the two-hour window.
Jscrambler is a commercial platform for protecting web and mobile JavaScript applications from reverse engineering and tampering.
Its npm package has 17,000 weekly downloads and enables app developers to upload their JavaScript to Jscrambler’s service to protect the code from alteration. This helps defend against real-time modifications like injecting malicious code.
Application-security company Socket detected the compromise and analyzed the unauthorized Jscrambler release. The researchers say that the package included an infostealer that targeted multiple types of sensitive data:
... continue reading