The short version: On July 11, 2026, someone pushed five malicious versions of the popular jscrambler npm package and, for about three hours, anyone who installed one ran a cross-platform infostealer. The malware — JFrog calls it IronWorm — steals the usual crown jewels: npm tokens, CI secrets, cloud credentials, browser sessions, crypto wallets, Bitwarden vaults. But it also reaches for something newer, and that's the part worth your attention: the config files of AI coding tools like Claude Desktop and Cursor. If you build with an AI assistant, its config is now a named target.
What happened#
The malicious versions — 8.14.0, 8.16.0, 8.17.0, 8.18.0, 8.20.0 — went out under a legitimate maintainer account, bypassing the project's normal release flow, which points to a compromised npm credential or build pipeline rather than a typosquat. Each version carried the same payload: a Rust infostealer with builds for Windows, macOS, and Linux, run from a preinstall hook so that simply installing the package executes it. JFrog ties IronWorm to the Shai-Hulud worm lineage — the same self-propagating family that has been chewing through npm for the past year — and notes it has grown from a Linux-only tool into a three-platform one.
Propagation is the ugly bit. Once it has your npm token, IronWorm doesn't wait for a human: it picks packages with high download counts, injects a malicious setup.mjs preinstall script into their tarballs, and publishes the infected versions directly to the registry over a raw HTTP PUT — without ever calling the npm client. That's a worm designed to skip the tooling that might flag it. Detection vendors caught this one fast (Socket flagged it minutes after publish), but "fast" still leaves a three-hour window of live installs.
A stolen cloud key is a door. A poisoned assistant config is a door that keeps making new doors.
The tell: AI tool config on the target list#
Infostealers grabbing cloud keys and wallets is not new. What's new is a mainstream npm worm explicitly enumerating AI coding assistant configuration among its targets. Think about what that config is: your assistant's keys, its custom instructions, the MCP servers it's allowed to reach, the rules that shape what it writes. Read or tamper with that, and an attacker isn't stealing one secret — they're getting a position inside your development loop.
That's a category jump. A leaked API key is a one-time loss you rotate away. A compromised Cursor or Claude Desktop config can quietly influence every subsequent AI-generated commit — nudging dependencies, weakening a check, adding a "helpful" script — with your own assistant as the unwitting delivery mechanism. As agents write more of the diff, their config becomes production infrastructure, and this attack is the first mainstream sign that the other side has noticed. It's the supply-chain version of the same boundary problem we flagged when Cursor's sandbox escape turned an IDE into an execution surface.
What to do this week#
Concrete, in order:
- Purge the bad versions. Remove
jscrambler8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.0 from lockfiles and caches. Pin to the last known-good 8.13.0 or move to a clean 8.15.0. Note that in the later malicious versions the payload was moved into the package's main code, so--ignore-scriptsalone won't reliably save you — remove the versions, don't just mute the hook. - Rotate anything CI touched. npm publish tokens, cloud credentials, and any secret readable from your build environment. Assume exposure if an affected version hit a runner.
- Treat AI tool config as a secret. Keep Cursor/Claude config out of world-readable paths and shared machine images; don't commit it; review it the way you'd review an
.env. - Adopt npm v12's default. npm v12 disables dependency install scripts by default — the structural fix for exactly this delivery method. If you haven't migrated, this attack is your business case.
- Watch your own publishes. Alert on unexpected new versions under your org's npm tokens; that's how the worm spreads through you to everyone downstream.
This is the third npm supply-chain incident we've covered in a month — after the Mastra AI package attack and the agent-skills supply-chain risk — and the trend line is clear: the payloads keep getting better at staying, and they're now aimed at the tools that write your code. The defenses are boring and they work. Pin, rotate, and stop letting a fresh npm install run arbitrary code as you. Your assistant's config is part of your attack surface now — rotate the keys behind it on a schedule, and give it nothing it doesn't need.



