Cyber Threat Brief — July 13 2026
⚠️ This report is AI-generated. Always validate findings.
1. jscrambler npm Supply Chain Attack — Rust Infostealer Targets Dev Machines
TL;DR: Five malicious jscrambler npm releases (8.14.0–8.20.0) published July 11 via compromised credential drop a cross-platform Rust infostealer that harvests cloud creds, crypto wallets, AI coding tool configs, and browser sessions. 15,800+ weekly downloads; Socket detected in 6 minutes.
What’s New:
- Compromised versions: 8.14.0, 8.16.0, 8.17.0, 8.18.0, 8.20.0 — published over ~3 hours on July 11
preinstallhook in 8.14.0–8.17.0 runsdist/setup.js; 8.18.0+ pivots torequire()-time injection indist/index.jsbypassing--ignore-scriptsdist/intro.jsis a 7.8 MB binary container (header\x1bCSI\x01) packing gzip-compressed Rust ELF/PE/Mach-O infostealers- Targets: Claude Desktop, Cursor, Windsurf, VS Code MCP configs; MetaMask/Phantom/Coinbase/Exodus wallets; AWS/GCP/Azure IMDS + Secrets Manager; Discord/Slack/Telegram sessions; Chromium/Firefox browser stores
- Persistence via Windows scheduled tasks and macOS LaunchAgents; anti-debug checks; ChaCha20-Poly1305 per-string obfuscation (~2,400 encrypted strings)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
[email protected]/8.16.0/8.17.0/8.18.0/8.20.0 | Malicious package | T1195.002 | npm audit logs, lockfiles | Remove; upgrade to 8.22.0 |
dist/intro.js SHA-256: a41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86 | Payload container | T1204.002 | File integrity | Hunt in CI/dev systems |
Linux ELF SHA-256: fbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bd | Infostealer | T1059.004 | EDR process telemetry | Block hash |
Windows PE SHA-256: b7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903 | Infostealer | T1059.001 | EDR, Sysmon | Block hash |
macOS Mach-O SHA-256: c8fd47d36bdf7c825378593ab82ed8c24d1dc52e26b507812393e24e1d5201fd | Infostealer | T1059.004 | EDR | Block hash |
C2 IPs 37.27.122[.]124, 57.128.246[.]79 | Exfil endpoint | T1041 | Firewall, proxy | Block outbound |
Temp dir files with random names + .exe launched by node | Execution | T1204.002 | Sysmon EID 1 | Alert: node spawning temp binary |
POST /upload with multipart/form-data to C2 IPs | Data exfil | T1048.001 | Proxy, NDR | Block/alert |
| LaunchAgent or Scheduled Task created by node/npm process | Persistence | T1543.001, T1053.005 | macOS unified log, Windows EID 4698 | Hunt |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Linux Ingress Tool Transfer Hunting (partial post-exploit) | No npm supply-chain-specific rule; need Sysmon rule for node.exe spawning unsigned temp binaries |
| Elastic | None specific | Gap: no rule for npm preinstall/require-time binary drops; need process tree rule for node → temp binary execution |
| Sigma | None specific | Gap: no rule for CSI container format or ChaCha20 obfuscated payloads; community rule needed for npm install hook abuse |
Sources: Socket Research · The Hacker News · JFrog Security Research · Jscrambler Advisory
Status Updates
- CVE-2026-48939 / CVE-2026-56291 (iCagenda / Balbooa Forms for Joomla): CISA KEV federal deadline TODAY July 13. Both CVSS 10.0 unauthenticated file upload RCE. Active zero-day exploitation since June 15 (iCagenda). Patch: iCagenda 4.0.8/3.9.15, Balbooa Forms 2.4.1. CISA Alert · The Hacker News