<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: NetSecOpsIO</title>
    <description>The latest articles on DEV Community by NetSecOpsIO (@netsecops_io).</description>
    <link>https://dev.to/netsecops_io</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4026364%2Ff8523abd-5e51-43b6-9467-88028929606f.jpeg</url>
      <title>DEV Community: NetSecOpsIO</title>
      <link>https://dev.to/netsecops_io</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/netsecops_io"/>
    <language>en</language>
    <item>
      <title>Malicious 'jscrambler' NPM Package Versions Deploy Cross-Platform Infostealer</title>
      <dc:creator>NetSecOpsIO</dc:creator>
      <pubDate>Sun, 12 Jul 2026 19:58:25 +0000</pubDate>
      <link>https://dev.to/netsecops_io/malicious-jscrambler-npm-package-versions-deploy-cross-platform-infostealer-4835</link>
      <guid>https://dev.to/netsecops_io/malicious-jscrambler-npm-package-versions-deploy-cross-platform-infostealer-4835</guid>
      <description>&lt;h2&gt;
  
  
  Executive Summary
&lt;/h2&gt;

&lt;p&gt;On July 11, 2026, a sophisticated software supply chain attack was identified involving the popular &lt;code&gt;jscrambler&lt;/code&gt; npm package. Multiple malicious versions were published to the npm registry using a compromised maintainer's publishing credential. These packages contained a cross-platform infostealer written in Rust, designed to harvest sensitive developer credentials. The malware targeted a wide range of secrets, including cloud provider credentials, cryptocurrency wallets, and configuration files for modern AI coding assistants. The incident highlights the significant risk of dependency confusion and credential compromise in the software development lifecycle. &lt;strong&gt;&lt;a href="https://jscrambler.com/" rel="noopener noreferrer"&gt;Jscrambler&lt;/a&gt;&lt;/strong&gt; has taken remedial action, but organizations are urged to audit their systems and rotate all potentially exposed secrets immediately.&lt;/p&gt;

&lt;h2&gt;
  
  
  Threat Overview
&lt;/h2&gt;

&lt;p&gt;The attack began with the publication of &lt;code&gt;jscrambler&lt;/code&gt; version &lt;code&gt;8.14.0&lt;/code&gt; to the &lt;strong&gt;&lt;a href="https://www.npmjs.com/" rel="noopener noreferrer"&gt;npm&lt;/a&gt;&lt;/strong&gt; registry, followed by several other malicious versions (&lt;code&gt;8.16.0&lt;/code&gt;, &lt;code&gt;8.17.0&lt;/code&gt;, &lt;code&gt;8.18.0&lt;/code&gt;, &lt;code&gt;8.20.0&lt;/code&gt;). The threat actor leveraged a compromised npm publishing token to push these versions directly to the registry, bypassing the project's standard code review process on GitHub. The initial attack vector was an npm &lt;code&gt;preinstall&lt;/code&gt; script, which automatically executed upon package installation (&lt;code&gt;npm install&lt;/code&gt;). This script unpacked and ran a native binary infostealer. Later versions adapted to use &lt;code&gt;require()&lt;/code&gt;-time injection to evade detection mechanisms that block installation scripts.&lt;/p&gt;

&lt;p&gt;The primary goal of the attack was credential theft from developer workstations and CI/CD environments. The malware was specifically designed to be cross-platform, with executables for Windows, macOS, and Linux.&lt;/p&gt;

&lt;h2&gt;
  
  
  Technical Analysis
&lt;/h2&gt;

&lt;p&gt;The attack chain demonstrates a clear understanding of developer workflows and security blind spots.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt; &lt;strong&gt;Initial Access&lt;/strong&gt;: The attacker gained access to a valid npm publishing token for the &lt;code&gt;jscrambler&lt;/code&gt; package, allowing them to publish new versions. This aligns with &lt;a href="https://attack.mitre.org/techniques/T1195/002/" rel="noopener noreferrer"&gt;&lt;code&gt;T1195.002 - Compromise Software Supply Chain&lt;/code&gt;&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Execution&lt;/strong&gt;: The malicious code was executed via a &lt;code&gt;preinstall&lt;/code&gt; hook in the &lt;code&gt;package.json&lt;/code&gt; file. This hook ran a setup script that deployed the infostealer payload. This is a form of &lt;a href="https://attack.mitre.org/techniques/T1059/" rel="noopener noreferrer"&gt;&lt;code&gt;T1059 - Command and Scripting Interpreter&lt;/code&gt;&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Payload&lt;/strong&gt;: The payload was a 7.8MB Rust-based infostealer disguised as a JavaScript file (&lt;code&gt;intro.js&lt;/code&gt;). It contained compressed executables for Windows, macOS, and Linux.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Credential Access&lt;/strong&gt;: The infostealer was programmed to search for and exfiltrate a wide array of sensitive data, including:

&lt;ul&gt;
&lt;li&gt;  Cloud credentials for &lt;strong&gt;&lt;a href="https://aws.amazon.com/" rel="noopener noreferrer"&gt;AWS&lt;/a&gt;&lt;/strong&gt;, &lt;strong&gt;&lt;a href="https://azure.microsoft.com/en-us/" rel="noopener noreferrer"&gt;Azure&lt;/a&gt;&lt;/strong&gt;, and &lt;strong&gt;&lt;a href="https://cloud.google.com/" rel="noopener noreferrer"&gt;Google Cloud&lt;/a&gt;&lt;/strong&gt;. (&lt;a href="https://attack.mitre.org/techniques/T1552/005/" rel="noopener noreferrer"&gt;&lt;code&gt;T1552.005 - Cloud Credentials&lt;/code&gt;&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;  Cryptocurrency wallet data from &lt;strong&gt;&lt;a href="https://metamask.io/" rel="noopener noreferrer"&gt;MetaMask&lt;/a&gt;&lt;/strong&gt;, Phantom, and Exodus. (&lt;a href="https://attack.mitre.org/techniques/T1552/001/" rel="noopener noreferrer"&gt;&lt;code&gt;T1552.001 - Credentials In Files&lt;/code&gt;&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;  Configuration files and credentials for AI coding tools such as Claude Desktop, Cursor, and VS Code.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Persistence&lt;/strong&gt;: On Windows, the malware attempted to establish persistence by creating a hidden scheduled task (&lt;a href="https://attack.mitre.org/techniques/T1053/005/" rel="noopener noreferrer"&gt;&lt;code&gt;T1053.005 - Scheduled Task/Job: Scheduled Task&lt;/code&gt;&lt;/a&gt;). On macOS, it used a LaunchAgent for persistence (&lt;a href="https://attack.mitre.org/techniques/T1543/001/" rel="noopener noreferrer"&gt;&lt;code&gt;T1543.001 - Create or Modify System Process: Launch Agent&lt;/code&gt;&lt;/a&gt;).&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  Impact Assessment
&lt;/h2&gt;

&lt;p&gt;The impact of this attack is potentially severe. Any developer or CI/CD system that installed one of the malicious &lt;code&gt;jscrambler&lt;/code&gt; versions could have had their credentials compromised. Stolen cloud credentials could lead to significant data breaches, unauthorized resource usage, and further lateral movement into corporate networks. The theft of AI coding tool credentials is a novel and concerning development, as it could allow attackers to access proprietary code, inject malicious code via the AI assistant, or abuse paid API quotas. The compromise of cryptocurrency wallets could result in direct financial loss for affected individuals.&lt;/p&gt;

&lt;h2&gt;
  
  
  Detection &amp;amp; Response
&lt;/h2&gt;

&lt;p&gt;Security teams should focus on detecting the installation and execution of the malicious packages.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;  &lt;strong&gt;Dependency Scanning&lt;/strong&gt;: Implement tools that scan &lt;code&gt;package.json&lt;/code&gt; and &lt;code&gt;package-lock.json&lt;/code&gt; files for known malicious versions. Tools like &lt;strong&gt;&lt;a href="https://socket.dev/" rel="noopener noreferrer"&gt;Socket&lt;/a&gt;&lt;/strong&gt; can detect suspicious behaviors like &lt;code&gt;preinstall&lt;/code&gt; scripts.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;EDR/SIEM Monitoring&lt;/strong&gt;: Create detection rules for &lt;code&gt;npm&lt;/code&gt; or &lt;code&gt;node&lt;/code&gt; processes that spawn unexpected child processes or write executable files. Monitor for the creation of scheduled tasks or launch agents immediately following an &lt;code&gt;npm install&lt;/code&gt; command. A relevant D3FEND technique is &lt;a href="https://d3fend.mitre.org/technique/d3f:ProcessAnalysis" rel="noopener noreferrer"&gt;&lt;code&gt;D3-PA - Process Analysis&lt;/code&gt;&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Network Monitoring&lt;/strong&gt;: Monitor for outbound connections from developer workstations and CI/CD runners to unknown or suspicious endpoints, especially after new packages are installed. This aligns with &lt;a href="https://d3fend.mitre.org/technique/d3f:NetworkTrafficAnalysis" rel="noopener noreferrer"&gt;&lt;code&gt;D3-NTA - Network Traffic Analysis&lt;/code&gt;&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Response&lt;/strong&gt;: If a malicious version is detected, immediately isolate the affected machine, revoke all credentials stored on it (cloud, SSH, API keys), and perform a full forensic analysis.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Mitigation
&lt;/h2&gt;

&lt;p&gt;Preventing and mitigating such supply chain attacks requires a multi-layered approach.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt; &lt;strong&gt;Use Lockfiles&lt;/strong&gt;: Always use &lt;code&gt;package-lock.json&lt;/code&gt; or &lt;code&gt;yarn.lock&lt;/code&gt; to ensure that &lt;code&gt;npm install&lt;/code&gt; uses a specific, vetted version of a dependency.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Audit Dependencies&lt;/strong&gt;: Regularly run &lt;code&gt;npm audit&lt;/code&gt; to check for known vulnerabilities. Use tools that analyze package behavior, not just known CVEs.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Restrict Permissions&lt;/strong&gt;: Run &lt;code&gt;npm install&lt;/code&gt; with the &lt;code&gt;--ignore-scripts&lt;/code&gt; flag in environments where pre/post-install scripts are not expected or necessary. This is a form of &lt;a href="https://attack.mitre.org/mitigations/M1038/" rel="noopener noreferrer"&gt;&lt;code&gt;M1038 - Execution Prevention&lt;/code&gt;&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Credential Management&lt;/strong&gt;: Avoid storing plaintext credentials on developer machines. Use dedicated secret management solutions like HashiCorp Vault or cloud provider KMS. Enforce &lt;a href="https://attack.mitre.org/mitigations/M1032/" rel="noopener noreferrer"&gt;&lt;code&gt;M1032 - Multi-factor Authentication&lt;/code&gt;&lt;/a&gt; on all developer accounts, especially for npm publishing.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Secure Publishing Pipeline&lt;/strong&gt;: For package maintainers, protect publishing tokens as highly sensitive secrets and use 2FA for the npm registry. This falls under &lt;a href="https://attack.mitre.org/mitigations/M1026/" rel="noopener noreferrer"&gt;&lt;code&gt;M1026 - Privileged Account Management&lt;/code&gt;&lt;/a&gt;.&lt;/li&gt;
&lt;/ol&gt;

</description>
      <category>opensource</category>
      <category>security</category>
      <category>devops</category>
    </item>
    <item>
      <title>Australian Cyber Security Centre Issues Alert on Mass Exploitation of CMS Vulnerabilities</title>
      <dc:creator>NetSecOpsIO</dc:creator>
      <pubDate>Sun, 12 Jul 2026 19:24:45 +0000</pubDate>
      <link>https://dev.to/netsecops_io/australian-cyber-security-centre-issues-alert-on-mass-exploitation-of-cms-vulnerabilities-395e</link>
      <guid>https://dev.to/netsecops_io/australian-cyber-security-centre-issues-alert-on-mass-exploitation-of-cms-vulnerabilities-395e</guid>
      <description>&lt;p&gt;&lt;em&gt;Originally published on &lt;a href="https://cyber.netsecops.io/articles/acsc-warns-global-campaign-exploiting-cms-vulnerabilities/" rel="noopener noreferrer"&gt;CyberNetSec&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Executive Summary
&lt;/h2&gt;

&lt;p&gt;On July 11, 2026, the &lt;strong&gt;&lt;a href="https://www.cyber.gov.au/" rel="noopener noreferrer"&gt;Australian Cyber Security Centre (ACSC)&lt;/a&gt;&lt;/strong&gt; released a critical alert detailing a large-scale, global cyberattack campaign. Threat actors are systematically exploiting a wide range of known, patched vulnerabilities in popular Content Management Systems (CMS) and their associated plugins. The primary targets include &lt;strong&gt;&lt;a href="https://wordpress.org/" rel="noopener noreferrer"&gt;WordPress&lt;/a&gt;&lt;/strong&gt;, &lt;strong&gt;&lt;a href="https://www.joomla.org/" rel="noopener noreferrer"&gt;Joomla&lt;/a&gt;&lt;/strong&gt;, and Craft CMS. The attackers' main objective is to install webshells on compromised servers, granting them persistent remote access. This campaign has already impacted numerous organizations in Australia and worldwide, particularly small- to medium-sized businesses. The ACSC strongly advises immediate patching and thorough system audits.&lt;/p&gt;

&lt;h2&gt;
  
  
  Threat Overview
&lt;/h2&gt;

&lt;p&gt;The campaign is characterized by its broad scope and reliance on exploiting old, unpatched vulnerabilities. Attackers are conducting mass scanning operations to identify internet-facing websites running vulnerable versions of CMS platforms or plugins. Once a target is identified, the attackers exploit a known flaw to achieve initial access, with the end goal of uploading a webshell.&lt;/p&gt;

&lt;p&gt;A webshell provides a backdoor, allowing the attacker to execute commands on the server, manipulate files, and access databases. This access is then used for various malicious purposes:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;  Website defacement&lt;/li&gt;
&lt;li&gt;  Theft of sensitive data, including user credentials and customer information&lt;/li&gt;
&lt;li&gt;  Using the compromised server to host phishing pages or distribute malware like the Vidar Stealer&lt;/li&gt;
&lt;li&gt;  Pivoting from the web server to attack other systems within the organization's internal network.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The ACSC noted that the use of AI by threat actors may be accelerating their ability to weaponize newly disclosed vulnerabilities, shortening the window for defenders to patch.&lt;/p&gt;

&lt;h2&gt;
  
  
  Technical Analysis
&lt;/h2&gt;

&lt;p&gt;The campaign leverages a list of 17 specific vulnerabilities. The exploitation of these flaws falls under the MITRE ATT&amp;amp;CK technique &lt;a href="https://attack.mitre.org/techniques/T1190/" rel="noopener noreferrer"&gt;&lt;code&gt;T1190 - Exploit Public-Facing Application&lt;/code&gt;&lt;/a&gt;. The ultimate goal is the installation of a webshell, which corresponds to &lt;a href="https://attack.mitre.org/techniques/T1505/003/" rel="noopener noreferrer"&gt;&lt;code&gt;T1505.003 - Server Software Component: Web Shell&lt;/code&gt;&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;The targeted vulnerabilities include, but are not limited to:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;  &lt;strong&gt;WordPress Plugins&lt;/strong&gt;: Simple File List (&lt;code&gt;CVE-2026-1357&lt;/code&gt;), Ninja Forms (&lt;code&gt;CVE-2026-3844&lt;/code&gt;), Breeze Cache (&lt;code&gt;CVE-2026-1969&lt;/code&gt;), Gravity Forms (&lt;code&gt;CVE-2025-12352&lt;/code&gt;), and others.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Joomla Components&lt;/strong&gt;: JCE editor (&lt;code&gt;CVE-2026-0740&lt;/code&gt;).&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Other CMS&lt;/strong&gt;: Craft CMS (&lt;code&gt;CVE-2025-34085&lt;/code&gt;), MaxSite CMS (&lt;code&gt;CVE-2020-36847&lt;/code&gt;), and MetInfo CMS (&lt;code&gt;CVE-2025-7852&lt;/code&gt;).&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;These vulnerabilities range from unauthenticated file uploads to remote code execution and server-side request forgery (SSRF). The fact that many of these have had patches available for months or years indicates a systemic failure in patch management across many organizations.&lt;/p&gt;

&lt;h2&gt;
  
  
  Impact Assessment
&lt;/h2&gt;

&lt;p&gt;The impact on a compromised organization can be severe. A public-facing website is often the gateway to an organization's digital presence. A breach can lead to significant reputational damage from website defacement or data leaks. The theft of customer data can result in regulatory fines and loss of trust. If the compromised web server is used as a pivot point into the internal network, it can lead to a full-scale enterprise breach, potentially culminating in a ransomware attack. For small and medium businesses with limited security resources, recovering from such an attack can be financially devastating.&lt;/p&gt;

&lt;h2&gt;
  
  
  IOCs — Directly from Articles
&lt;/h2&gt;

&lt;p&gt;No specific webshell hashes, IP addresses, or C2 domains were mentioned in the source articles.&lt;/p&gt;

&lt;h2&gt;
  
  
  Cyber Observables — Hunting Hints
&lt;/h2&gt;

&lt;p&gt;Security teams should proactively hunt for signs of compromise related to this campaign:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Type&lt;/th&gt;
&lt;th&gt;Value&lt;/th&gt;
&lt;th&gt;Description&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;url_pattern&lt;/td&gt;
&lt;td&gt;&lt;code&gt;*/wp-content/plugins/*/&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Look for suspicious POST requests to plugin directories, especially for file uploads (&lt;code&gt;.php&lt;/code&gt;, &lt;code&gt;.phtml&lt;/code&gt;).&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;file_name&lt;/td&gt;
&lt;td&gt;&lt;code&gt;*.php&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Search for recently created or modified PHP files in unexpected locations, such as image upload directories.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;log_source&lt;/td&gt;
&lt;td&gt;&lt;code&gt;Web Server Access Logs&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Scrutinize logs for requests to known vulnerable endpoints associated with the listed CVEs. Look for unusual user agents or requests from a single IP hitting multiple non-existent pages.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;command_line_pattern&lt;/td&gt;
&lt;td&gt;`(curl&lt;/td&gt;
&lt;td&gt;wget) http://&lt;em&gt;/&lt;/em&gt;.sh`&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  Detection &amp;amp; Response
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;  &lt;strong&gt;File Integrity Monitoring (FIM)&lt;/strong&gt;: Deploy FIM on web servers to alert on the creation or modification of files in web directories, especially script files like &lt;code&gt;.php&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Log Analysis&lt;/strong&gt;: Ingest web server and CMS application logs into a SIEM. Create rules to detect exploitation attempts against the listed CVEs and to identify common webshell activity patterns (e.g., a POST request to a &lt;code&gt;.jpg&lt;/code&gt; file that is later executed). This is an application of &lt;a href="https://d3fend.mitre.org/technique/d3f:NetworkTrafficAnalysis" rel="noopener noreferrer"&gt;&lt;code&gt;D3-NTA - Network Traffic Analysis&lt;/code&gt;&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Vulnerability Scanning&lt;/strong&gt;: Regularly scan public-facing web applications for the vulnerabilities listed in the ACSC alert and other known flaws.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Response&lt;/strong&gt;: If a webshell is found, isolate the server immediately. Capture a forensic image for analysis. Examine logs to determine the extent of the compromise and identify any lateral movement before restoring from a known-good backup.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Mitigation
&lt;/h2&gt;

&lt;p&gt;The most critical mitigation is timely patch management.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt; &lt;strong&gt;Patch Immediately&lt;/strong&gt;: Apply all available security updates for your CMS core, themes, and plugins. This is the primary defense and aligns with &lt;a href="https://attack.mitre.org/mitigations/M1051/" rel="noopener noreferrer"&gt;&lt;code&gt;M1051 - Update Software&lt;/code&gt;&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Harden Configuration&lt;/strong&gt;: Disable file uploads in areas where they are not necessary. Restrict script execution permissions in upload directories. This is a form of &lt;a href="https://attack.mitre.org/mitigations/M1022/" rel="noopener noreferrer"&gt;&lt;code&gt;M1022 - Restrict File and Directory Permissions&lt;/code&gt;&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Web Application Firewall (WAF)&lt;/strong&gt;: Deploy a WAF to block common attack patterns and virtual patch against known vulnerabilities until official patches can be applied.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Network Segmentation&lt;/strong&gt;: Isolate web servers from the internal corporate network to prevent attackers from pivoting if a server is compromised. This aligns with &lt;a href="https://attack.mitre.org/mitigations/M1030/" rel="noopener noreferrer"&gt;&lt;code&gt;M1030 - Network Segmentation&lt;/code&gt;&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Remove Unused Plugins&lt;/strong&gt;: Uninstall and delete any themes or plugins that are not actively in use to reduce the potential attack surface.&lt;/li&gt;
&lt;/ol&gt;

</description>
      <category>cybersecurity</category>
      <category>cyberattack</category>
      <category>vulnerability</category>
      <category>patchmanagement</category>
    </item>
    <item>
      <title>Malicious 'jscrambler' NPM Package Versions Deploy Cross-Platform Infostealer in Sophisticated Supply Chain Attack</title>
      <dc:creator>NetSecOpsIO</dc:creator>
      <pubDate>Sun, 12 Jul 2026 19:24:43 +0000</pubDate>
      <link>https://dev.to/netsecops_io/malicious-jscrambler-npm-package-versions-deploy-cross-platform-infostealer-in-sophisticated-3671</link>
      <guid>https://dev.to/netsecops_io/malicious-jscrambler-npm-package-versions-deploy-cross-platform-infostealer-in-sophisticated-3671</guid>
      <description>&lt;p&gt;&lt;em&gt;Originally published on &lt;a href="https://cyber.netsecops.io/articles/jscrambler-npm-package-compromised-supply-chain-attack-infostealer/" rel="noopener noreferrer"&gt;CyberNetSec&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Executive Summary
&lt;/h2&gt;

&lt;p&gt;On July 11, 2026, a sophisticated software supply chain attack was identified involving the popular &lt;code&gt;jscrambler&lt;/code&gt; npm package. Multiple malicious versions were published to the npm registry using a compromised maintainer's publishing credential. These packages contained a cross-platform infostealer written in Rust, designed to harvest sensitive developer credentials. The malware targeted a wide range of secrets, including cloud provider credentials, cryptocurrency wallets, and configuration files for modern AI coding assistants. The incident highlights the significant risk of dependency confusion and credential compromise in the software development lifecycle. &lt;strong&gt;&lt;a href="https://jscrambler.com/" rel="noopener noreferrer"&gt;Jscrambler&lt;/a&gt;&lt;/strong&gt; has taken remedial action, but organizations are urged to audit their systems and rotate all potentially exposed secrets immediately.&lt;/p&gt;

&lt;h2&gt;
  
  
  Threat Overview
&lt;/h2&gt;

&lt;p&gt;The attack began with the publication of &lt;code&gt;jscrambler&lt;/code&gt; version &lt;code&gt;8.14.0&lt;/code&gt; to the &lt;strong&gt;&lt;a href="https://www.npmjs.com/" rel="noopener noreferrer"&gt;npm&lt;/a&gt;&lt;/strong&gt; registry, followed by several other malicious versions (&lt;code&gt;8.16.0&lt;/code&gt;, &lt;code&gt;8.17.0&lt;/code&gt;, &lt;code&gt;8.18.0&lt;/code&gt;, &lt;code&gt;8.20.0&lt;/code&gt;). The threat actor leveraged a compromised npm publishing token to push these versions directly to the registry, bypassing the project's standard code review process on GitHub. The initial attack vector was an npm &lt;code&gt;preinstall&lt;/code&gt; script, which automatically executed upon package installation (&lt;code&gt;npm install&lt;/code&gt;). This script unpacked and ran a native binary infostealer. Later versions adapted to use &lt;code&gt;require()&lt;/code&gt;-time injection to evade detection mechanisms that block installation scripts.&lt;/p&gt;

&lt;p&gt;The primary goal of the attack was credential theft from developer workstations and CI/CD environments. The malware was specifically designed to be cross-platform, with executables for Windows, macOS, and Linux.&lt;/p&gt;

&lt;h2&gt;
  
  
  Technical Analysis
&lt;/h2&gt;

&lt;p&gt;The attack chain demonstrates a clear understanding of developer workflows and security blind spots.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt; &lt;strong&gt;Initial Access&lt;/strong&gt;: The attacker gained access to a valid npm publishing token for the &lt;code&gt;jscrambler&lt;/code&gt; package, allowing them to publish new versions. This aligns with &lt;a href="https://attack.mitre.org/techniques/T1195/002/" rel="noopener noreferrer"&gt;&lt;code&gt;T1195.002 - Compromise Software Supply Chain&lt;/code&gt;&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Execution&lt;/strong&gt;: The malicious code was executed via a &lt;code&gt;preinstall&lt;/code&gt; hook in the &lt;code&gt;package.json&lt;/code&gt; file. This hook ran a setup script that deployed the infostealer payload. This is a form of &lt;a href="https://attack.mitre.org/techniques/T1059/" rel="noopener noreferrer"&gt;&lt;code&gt;T1059 - Command and Scripting Interpreter&lt;/code&gt;&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Payload&lt;/strong&gt;: The payload was a 7.8MB Rust-based infostealer disguised as a JavaScript file (&lt;code&gt;intro.js&lt;/code&gt;). It contained compressed executables for Windows, macOS, and Linux.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Credential Access&lt;/strong&gt;: The infostealer was programmed to search for and exfiltrate a wide array of sensitive data, including:

&lt;ul&gt;
&lt;li&gt;  Cloud credentials for &lt;strong&gt;&lt;a href="https://aws.amazon.com/" rel="noopener noreferrer"&gt;AWS&lt;/a&gt;&lt;/strong&gt;, &lt;strong&gt;&lt;a href="https://azure.microsoft.com/en-us/" rel="noopener noreferrer"&gt;Azure&lt;/a&gt;&lt;/strong&gt;, and &lt;strong&gt;&lt;a href="https://cloud.google.com/" rel="noopener noreferrer"&gt;Google Cloud&lt;/a&gt;&lt;/strong&gt;. (&lt;a href="https://attack.mitre.org/techniques/T1552/005/" rel="noopener noreferrer"&gt;&lt;code&gt;T1552.005 - Cloud Credentials&lt;/code&gt;&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;  Cryptocurrency wallet data from &lt;strong&gt;&lt;a href="https://metamask.io/" rel="noopener noreferrer"&gt;MetaMask&lt;/a&gt;&lt;/strong&gt;, Phantom, and Exodus. (&lt;a href="https://attack.mitre.org/techniques/T1552/001/" rel="noopener noreferrer"&gt;&lt;code&gt;T1552.001 - Credentials In Files&lt;/code&gt;&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;  Configuration files and credentials for AI coding tools such as Claude Desktop, Cursor, and VS Code.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Persistence&lt;/strong&gt;: On Windows, the malware attempted to establish persistence by creating a hidden scheduled task (&lt;a href="https://attack.mitre.org/techniques/T1053/005/" rel="noopener noreferrer"&gt;&lt;code&gt;T1053.005 - Scheduled Task/Job: Scheduled Task&lt;/code&gt;&lt;/a&gt;). On macOS, it used a LaunchAgent for persistence (&lt;a href="https://attack.mitre.org/techniques/T1543/001/" rel="noopener noreferrer"&gt;&lt;code&gt;T1543.001 - Create or Modify System Process: Launch Agent&lt;/code&gt;&lt;/a&gt;).&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  Impact Assessment
&lt;/h2&gt;

&lt;p&gt;The impact of this attack is potentially severe. Any developer or CI/CD system that installed one of the malicious &lt;code&gt;jscrambler&lt;/code&gt; versions could have had their credentials compromised. Stolen cloud credentials could lead to significant data breaches, unauthorized resource usage, and further lateral movement into corporate networks. The theft of AI coding tool credentials is a novel and concerning development, as it could allow attackers to access proprietary code, inject malicious code via the AI assistant, or abuse paid API quotas. The compromise of cryptocurrency wallets could result in direct financial loss for affected individuals.&lt;/p&gt;

&lt;h2&gt;
  
  
  IOCs — Directly from Articles
&lt;/h2&gt;

&lt;p&gt;No specific file hashes, IP addresses, or C2 domains were mentioned in the source articles.&lt;/p&gt;

&lt;h2&gt;
  
  
  Cyber Observables — Hunting Hints
&lt;/h2&gt;

&lt;p&gt;Security teams may want to hunt for the following patterns to identify potentially related activity:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Type&lt;/th&gt;
&lt;th&gt;Value&lt;/th&gt;
&lt;th&gt;Description&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;file_name&lt;/td&gt;
&lt;td&gt;&lt;code&gt;intro.js&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;The name of the malicious binary payload, though it is not a JS file.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;command_line_pattern&lt;/td&gt;
&lt;td&gt;&lt;code&gt;npm install jscrambler@8.14.0&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Or any of the other compromised versions.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;log_source&lt;/td&gt;
&lt;td&gt;&lt;code&gt;CI/CD build logs&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Look for installations of the malicious &lt;code&gt;jscrambler&lt;/code&gt; versions.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;process_name&lt;/td&gt;
&lt;td&gt;&lt;code&gt;node.exe&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Monitor for child processes spawning unexpected binaries or making outbound network connections to unusual destinations.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;registry_key&lt;/td&gt;
&lt;td&gt;&lt;code&gt;HKCU\Software\Microsoft\Windows\CurrentVersion\Run&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Check for suspicious entries related to persistence on Windows.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;file_path&lt;/td&gt;
&lt;td&gt;&lt;code&gt;~/Library/LaunchAgents/&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Check for new or suspicious &lt;code&gt;.plist&lt;/code&gt; files on macOS.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  Detection &amp;amp; Response
&lt;/h2&gt;

&lt;p&gt;Security teams should focus on detecting the installation and execution of the malicious packages.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;  &lt;strong&gt;Dependency Scanning&lt;/strong&gt;: Implement tools that scan &lt;code&gt;package.json&lt;/code&gt; and &lt;code&gt;package-lock.json&lt;/code&gt; files for known malicious versions. Tools like &lt;strong&gt;&lt;a href="https://socket.dev/" rel="noopener noreferrer"&gt;Socket&lt;/a&gt;&lt;/strong&gt; can detect suspicious behaviors like &lt;code&gt;preinstall&lt;/code&gt; scripts.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;EDR/SIEM Monitoring&lt;/strong&gt;: Create detection rules for &lt;code&gt;npm&lt;/code&gt; or &lt;code&gt;node&lt;/code&gt; processes that spawn unexpected child processes or write executable files. Monitor for the creation of scheduled tasks or launch agents immediately following an &lt;code&gt;npm install&lt;/code&gt; command. A relevant D3FEND technique is &lt;a href="https://d3fend.mitre.org/technique/d3f:ProcessAnalysis" rel="noopener noreferrer"&gt;&lt;code&gt;D3-PA - Process Analysis&lt;/code&gt;&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Network Monitoring&lt;/strong&gt;: Monitor for outbound connections from developer workstations and CI/CD runners to unknown or suspicious endpoints, especially after new packages are installed. This aligns with &lt;a href="https://d3fend.mitre.org/technique/d3f:NetworkTrafficAnalysis" rel="noopener noreferrer"&gt;&lt;code&gt;D3-NTA - Network Traffic Analysis&lt;/code&gt;&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Response&lt;/strong&gt;: If a malicious version is detected, immediately isolate the affected machine, revoke all credentials stored on it (cloud, SSH, API keys), and perform a full forensic analysis.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Mitigation
&lt;/h2&gt;

&lt;p&gt;Preventing and mitigating such supply chain attacks requires a multi-layered approach.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt; &lt;strong&gt;Use Lockfiles&lt;/strong&gt;: Always use &lt;code&gt;package-lock.json&lt;/code&gt; or &lt;code&gt;yarn.lock&lt;/code&gt; to ensure that &lt;code&gt;npm install&lt;/code&gt; uses a specific, vetted version of a dependency.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Audit Dependencies&lt;/strong&gt;: Regularly run &lt;code&gt;npm audit&lt;/code&gt; to check for known vulnerabilities. Use tools that analyze package behavior, not just known CVEs.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Restrict Permissions&lt;/strong&gt;: Run &lt;code&gt;npm install&lt;/code&gt; with the &lt;code&gt;--ignore-scripts&lt;/code&gt; flag in environments where pre/post-install scripts are not expected or necessary. This is a form of &lt;a href="https://attack.mitre.org/mitigations/M1038/" rel="noopener noreferrer"&gt;&lt;code&gt;M1038 - Execution Prevention&lt;/code&gt;&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Credential Management&lt;/strong&gt;: Avoid storing plaintext credentials on developer machines. Use dedicated secret management solutions like HashiCorp Vault or cloud provider KMS. Enforce &lt;a href="https://attack.mitre.org/mitigations/M1032/" rel="noopener noreferrer"&gt;&lt;code&gt;M1032 - Multi-factor Authentication&lt;/code&gt;&lt;/a&gt; on all developer accounts, especially for npm publishing.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Secure Publishing Pipeline&lt;/strong&gt;: For package maintainers, protect publishing tokens as highly sensitive secrets and use 2FA for the npm registry. This falls under &lt;a href="https://attack.mitre.org/mitigations/M1026/" rel="noopener noreferrer"&gt;&lt;code&gt;M1026 - Privileged Account Management&lt;/code&gt;&lt;/a&gt;.&lt;/li&gt;
&lt;/ol&gt;

</description>
      <category>cybersecurity</category>
      <category>supplychainattack</category>
      <category>malware</category>
      <category>threatintelligence</category>
    </item>
    <item>
      <title>Jscrambler NPM Package Hijacked in Supply Chain Attack, Deploys Infostealer Targeting Cloud &amp; AI Dev Secrets</title>
      <dc:creator>NetSecOpsIO</dc:creator>
      <pubDate>Sun, 12 Jul 2026 00:00:00 +0000</pubDate>
      <link>https://dev.to/netsecops_io/jscrambler-npm-package-hijacked-in-supply-chain-attack-deploys-infostealer-targeting-cloud-ai-4aje</link>
      <guid>https://dev.to/netsecops_io/jscrambler-npm-package-hijacked-in-supply-chain-attack-deploys-infostealer-targeting-cloud-ai-4aje</guid>
      <description>&lt;p&gt;A supply chain attack hit the popular &lt;code&gt;jscrambler&lt;/code&gt; npm package, with malicious versions published to the registry using a compromised maintainer credential. These versions contained a Rust-based infostealer designed to steal developer credentials from cloud services (AWS, Azure, GCP), cryptocurrency...&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Severity:&lt;/strong&gt; Critical&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Categories:&lt;/strong&gt; Supply Chain Attack, Malware, Threat Intelligence&lt;/p&gt;

&lt;p&gt;&lt;a href="https://cyber.netsecops.io/articles/jscrambler-npm-package-compromised-supply-chain-attack-infostealer/" rel="noopener noreferrer"&gt;Read Full Article →&lt;/a&gt;&lt;/p&gt;

</description>
      <category>supplychainattack</category>
      <category>malware</category>
      <category>threatintelligence</category>
    </item>
    <item>
      <title>CISA Adds Two Actively Exploited Joomla Plugin Flaws to KEV Catalog</title>
      <dc:creator>NetSecOpsIO</dc:creator>
      <pubDate>Sun, 12 Jul 2026 00:00:00 +0000</pubDate>
      <link>https://dev.to/netsecops_io/cisa-adds-two-actively-exploited-joomla-plugin-flaws-to-kev-catalog-2nm3</link>
      <guid>https://dev.to/netsecops_io/cisa-adds-two-actively-exploited-joomla-plugin-flaws-to-kev-catalog-2nm3</guid>
      <description>&lt;p&gt;On July 10, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities affecting Joomla components to its Known Exploited Vulnerabilities (KEV) catalog, signaling they are under active exploitation. The flaws, CVE-2026-48939 in the iCagenda extension and CVE-202...&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Severity:&lt;/strong&gt; High&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Categories:&lt;/strong&gt; Vulnerability, Patch Management, Regulatory&lt;/p&gt;

&lt;p&gt;&lt;a href="https://cyber.netsecops.io/articles/cisa-adds-joomla-icagenda-balbooa-flaws-to-kev-catalog/" rel="noopener noreferrer"&gt;Read Full Article →&lt;/a&gt;&lt;/p&gt;

</description>
      <category>vulnerability</category>
      <category>patchmanagement</category>
      <category>regulatory</category>
    </item>
    <item>
      <title>Urgent Patch Advisory: Critical Stored XSS Flaw in Zimbra Allows Account Takeover via Email</title>
      <dc:creator>NetSecOpsIO</dc:creator>
      <pubDate>Sat, 11 Jul 2026 00:00:00 +0000</pubDate>
      <link>https://dev.to/netsecops_io/urgent-patch-advisory-critical-stored-xss-flaw-in-zimbra-allows-account-takeover-via-email-bhg</link>
      <guid>https://dev.to/netsecops_io/urgent-patch-advisory-critical-stored-xss-flaw-in-zimbra-allows-account-takeover-via-email-bhg</guid>
      <description>&lt;p&gt;Zimbra has issued an urgent advisory for a critical stored cross-site scripting (XSS) vulnerability in its Classic Web Client. The flaw, which has not yet been assigned a CVE, can be exploited by sending a specially crafted email to a target. When the victim opens the malicious email, the embedded s...&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Severity:&lt;/strong&gt; Critical&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Categories:&lt;/strong&gt; Vulnerability, Phishing, Cyberattack&lt;/p&gt;

&lt;p&gt;&lt;a href="https://cyber.netsecops.io/articles/critical-stored-xss-flaw-in-zimbra-classic-web-client-disclosed/" rel="noopener noreferrer"&gt;Read Full Article →&lt;/a&gt;&lt;/p&gt;

</description>
      <category>vulnerability</category>
      <category>phishing</category>
      <category>cyberattack</category>
    </item>
  </channel>
</rss>
