TL;DR
npm supply-chain compromise in jscrambler 8.14.0 installs cross-platform infostealer; Zimbra WebClient flaw allows arbitrary code execution via email; Injective Labs GitHub breach pushes malicious wallet-stealing packages. Immediate action required for affected users and developers.
Executive Summary
- npm package jscrambler 8.14.0 compromised with Rust-based infostealer targeting Windows, macOS, and Linux users
- Zimbra Critical vulnerability enables stored XSS via crafted emails leading to arbitrary code execution in user sessions
- Injective Labs GitHub repository compromised to push malicious @injectivelabs/sdk-ts@1.20.21 targeting cryptocurrency wallet private keys
- Threat actors use ghost GitHub accounts to conduct mass reconnaissance of organizations and repositories
- FBI seizes NetNut proxy platform and Popa botnet infrastructure; Popa linked to Alarum Technologies
Top Threats Today
1. jscrambler npm Package Supply-Chain Compromise
Severity: HIGH Affected: Technology
The jscrambler npm package version 8.14.0, published July 11, 2026, has been compromised with a malicious preinstall hook that drops and executes a native Rust infostealer [1]. The payload includes separate binaries for Windows, macOS, and Linux, executing automatically during package installation without user interaction ⚠[1]. This attack directly affects developers who installed the compromised release and any downstream applications or dependencies consuming this version.
Sources:[1] The Hacker News
Recommended Action
- Immediately audit npm audit logs and package lock files for jscrambler 8.14.0 installation
- Isolate and re-image any development machines that installed the compromised version
- Scan systems for persistence mechanisms and credential theft indicators
- Contact security team if jscrambler 8.14.0 was built into production artifacts
- Upgrade to a verified safe version from npm when available; verify package integrity via hash
2. Zimbra Critical Stored XSS via Malicious Email
Severity: HIGH Affected: Technology
Zimbra has disclosed a critical vulnerability in the Classic Web Client that allows specially crafted emails to execute arbitrary code within user sessions via stored cross-site scripting (XSS) [1]. The flaw permits attackers to run malicious code in the context of an authenticated user without additional user interaction once an email is opened or displayed ⚠ [1]. Zimbra is urging immediate application of available updates [1].
Sources:[1] The Hacker News
Recommended Action
- Apply Zimbra-provided security updates to all Classic Web Client instances immediately
- Monitor email logs and user activity for signs of session hijacking or unauthorized actions
- Educate users to avoid opening emails from untrusted sources pending patch deployment
- If patching is delayed, disable Classic Web Client access and enforce use of alternative clients
3. Injective Labs GitHub Compromise Pushes Malicious SDK
Severity: HIGH Affected: Finance
Unknown threat actors compromised the Injective Labs SDK project GitHub repository and published a malicious version, @injectivelabs/sdk-ts@1.20.21, to the npm registry [1]. The compromised package was embedded with code designed to steal cryptocurrency wallet private keys and mnemonic seed phrases [1]. This attack directly impacts developers and applications that depend on the Injective Labs SDK for blockchain wallet operations.
Sources:[1] The Hacker News
Recommended Action
- Immediately revoke or rotate all cryptocurrency wallet private keys and seed phrases on systems that installed @injectivelabs/sdk-ts@1.20.21
- Audit package.lock and dependency trees for presence of malicious version
- Move wallet funds from potentially compromised keys to newly generated secure wallets
- Monitor blockchain transactions associated with affected wallets for unauthorized activity
- Downgrade to a verified safe version of the SDK once patched version is confirmed
4. Ghost GitHub Accounts Conduct Mass Organization Reconnaissance
Severity: HIGH Affected: Technology
Multiple campaigns are using ghost (fake or compromised) GitHub accounts to systematically map GitHub organizations, their repositories, and member lists [1]. This reconnaissance activity enables attackers to identify high-value targets and sensitive codebases prior to exploitation ⚠[1].
Sources:[1] SecurityWeek
Recommended Action
- Review GitHub organization member access logs for unusual or anonymous account activity
- Enable GitHub organization-level audit logging and review for API access patterns
- Restrict repository visibility and member directory access to authenticated users only
- Implement conditional access policies to detect and block suspicious enumeration patterns
- Review secrets stored in repositories and rotate any discovered credentials immediately
5. FBI Seizes NetNut Proxy Service and Popa Botnet
Severity: MEDIUM Affected: Technology
The FBI announced seizure of hundreds of domains associated with NetNut, a residential proxy service operated by publicly-traded Israeli company Alarum Technologies [1]. The action also targeted the Popa botnet, an Android-based network that researchers have linked to the proxy platform [1].
Sources:[1] Krebs on Security
Recommended Action
- Review network logs and firewall rules for connections to seized NetNut domains
- Audit corporate devices for unauthorized proxy configurations or proxy-based traffic redirection
- Monitor for Android-based devices on corporate networks exhibiting unusual data exfiltration patterns
Today's Action Checklist
- ☐ URGENT: Check for jscrambler 8.14.0 in npm audit logs; isolate and re-image affected development systems
- ☐ URGENT: Apply Zimbra Classic Web Client security patches to all instances
- ☐ URGENT: Audit for @injectivelabs/sdk-ts@1.20.21 in dependency trees; rotate compromised wallet keys immediately
- ☐ Review GitHub organization audit logs for suspicious or ghost account activity in past 30 days
- ☐ Verify no corporate network connections to seized NetNut proxy domains