Cyber Threat Brief — July 13 2026

⚠️ This report is AI-generated. Always validate findings.

1. jscrambler npm Supply Chain Attack — Rust Infostealer Targets Dev Machines

TL;DR: Five malicious jscrambler npm releases (8.14.0–8.20.0) published July 11 via compromised credential drop a cross-platform Rust infostealer that harvests cloud creds, crypto wallets, AI coding tool configs, and browser sessions. 15,800+ weekly downloads; Socket detected in 6 minutes.

What’s New:

  • Compromised versions: 8.14.0, 8.16.0, 8.17.0, 8.18.0, 8.20.0 — published over ~3 hours on July 11
  • preinstall hook in 8.14.0–8.17.0 runs dist/setup.js; 8.18.0+ pivots to require()-time injection in dist/index.js bypassing --ignore-scripts
  • dist/intro.js is a 7.8 MB binary container (header \x1bCSI\x01) packing gzip-compressed Rust ELF/PE/Mach-O infostealers
  • Targets: Claude Desktop, Cursor, Windsurf, VS Code MCP configs; MetaMask/Phantom/Coinbase/Exodus wallets; AWS/GCP/Azure IMDS + Secrets Manager; Discord/Slack/Telegram sessions; Chromium/Firefox browser stores
  • Persistence via Windows scheduled tasks and macOS LaunchAgents; anti-debug checks; ChaCha20-Poly1305 per-string obfuscation (~2,400 encrypted strings)

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
[email protected]/8.16.0/8.17.0/8.18.0/8.20.0Malicious packageT1195.002npm audit logs, lockfilesRemove; upgrade to 8.22.0
dist/intro.js SHA-256: a41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86Payload containerT1204.002File integrityHunt in CI/dev systems
Linux ELF SHA-256: fbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bdInfostealerT1059.004EDR process telemetryBlock hash
Windows PE SHA-256: b7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903InfostealerT1059.001EDR, SysmonBlock hash
macOS Mach-O SHA-256: c8fd47d36bdf7c825378593ab82ed8c24d1dc52e26b507812393e24e1d5201fdInfostealerT1059.004EDRBlock hash
C2 IPs 37.27.122[.]124, 57.128.246[.]79Exfil endpointT1041Firewall, proxyBlock outbound
Temp dir files with random names + .exe launched by nodeExecutionT1204.002Sysmon EID 1Alert: node spawning temp binary
POST /upload with multipart/form-data to C2 IPsData exfilT1048.001Proxy, NDRBlock/alert
LaunchAgent or Scheduled Task created by node/npm processPersistenceT1543.001, T1053.005macOS unified log, Windows EID 4698Hunt

Detection

SourceRuleGap
Splunk ESCULinux Ingress Tool Transfer Hunting (partial post-exploit)No npm supply-chain-specific rule; need Sysmon rule for node.exe spawning unsigned temp binaries
ElasticNone specificGap: no rule for npm preinstall/require-time binary drops; need process tree rule for node → temp binary execution
SigmaNone specificGap: no rule for CSI container format or ChaCha20 obfuscated payloads; community rule needed for npm install hook abuse

Sources: Socket Research · The Hacker News · JFrog Security Research · Jscrambler Advisory


Status Updates

  • CVE-2026-48939 / CVE-2026-56291 (iCagenda / Balbooa Forms for Joomla): CISA KEV federal deadline TODAY July 13. Both CVSS 10.0 unauthenticated file upload RCE. Active zero-day exploitation since June 15 (iCagenda). Patch: iCagenda 4.0.8/3.9.15, Balbooa Forms 2.4.1. CISA Alert · The Hacker News