The jscrambler npm package was compromised, and simply installing its8.14.0release runs an infostealer on your machine. Published on July 11, 2026, the malicious version carries apreinstallhook that drops and executes a native binary, one build each for Windows, macOS, and Linux. Socket flagged the releasesix minutes after it was published. If you or one of your