thehackernews.com web signal

jscrambler npm hijack sweeps AI coding tool config keys

TL;DR

  • A compromised jscrambler npm package shipped a cross-platform Rust infostealer across five releases (8.14.0, 8.16.0, 8.17.0, 8.18.0, 8.20.0) starting July 11, 2026.
  • The malware specifically targeted config files for Claude Desktop, Cursor, Windsurf, VS Code and Zed, including API keys and Model Context Protocol credentials.
  • Socket flagged the initial release six minutes after publication; jscrambler traced the incident to a compromised npm publishing credential, with 8.22.0 as the clean upgrade.

The interesting bit in this week's npm supply chain attack isn't the mechanics, which are familiar by now. It's the target list. According to The Hacker News, a compromised version of the jscrambler package started shipping a cross-platform Rust infostealer on July 11, 2026 that, alongside the usual cloud credentials and crypto wallets, went hunting through config files for Claude Desktop, Cursor, Windsurf, VS Code and Zed, including Model Context Protocol credentials.

The version history is worth reading closely. Five releases were tagged as malicious: 8.14.0, 8.16.0, 8.17.0, 8.18.0 and 8.20.0, with a clean 8.15.0 in between and 8.22.0 as the confirmed clean upgrade. The first releases used a standard preinstall hook. Later versions moved the dropper into the main package code, the kind of change that quietly defeats developers relying on install-script blocking as their mitigation. Socket reportedly flagged the initial release six minutes after publication, and jscrambler has said the root cause was a compromised npm publishing credential.

Why this matters if you don't ship jscrambler is that your AI coding assistant's config file is now a first-class target. Anthropic keys, MCP endpoints and whatever tokens your Cursor or Windsurf setup has cached to make agentic workflows feel seamless are, on most machines, sitting in a predictable path in lightly protected JSON. A weekly download count of about 15,800 gives you a rough sense of the exposed base for this one package, but the pattern will generalize to every registry and every AI dev tool that stores keys the same way.

What the reporting doesn't give you is a confirmed count of infected machines, where the stolen material was sent, or how the maintainer's npm credential was taken in the first place. Take the six-minute detection as encouraging on the defender side, not as a ceiling on damage. The forward-looking read is that AI dev tool vendors now have a clear reason to move API keys out of user-editable JSON and into the OS keychain, and that anyone shipping an MCP server should assume the credential store on the other end is being scraped.