The jscrambler npm package was compromised, and simply installing itsΒ 8.14.0Β release runs an infostealer on your machine. Published on July 11, 2026, the malicious version carries aΒ preinstallΒ hook that drops and executes a native binary, one build each for Windows, macOS, and Linux.
Socket flagged the releaseΒ six minutes after it was published. If you or one of your
Cybersecurity researchers have disclosed details of sustained cyber espionage activity against several Pakistani law enforcement organizations undertaken by suspected China- and India-aligned threat actors between February 2024 and April 2026.
"At Balochistan Police, the compromised assets included servers hosting web applications that manage police and citizen data, such as criminal and