Jscrambler npm compromise

Jul
13
News banner: npm 12 blocked --ignore-scripts bypasses, but Jscrambler still got compromised in three days. Safe version: 8.22.0.

npm 12 blocked --ignore-scripts bypasses. Jscrambler's compromise found another way in three days

A compromised Jscrambler npm release ran an infostealer from a preinstall hook, then moved the same payload into normal package code once npm 12 disabled scripts by default.
3 min read