Construction AI BriefSubscribe →
Issue
№075
Pillar
Trend
Audience
GC ops
Dated
2026.07.13

Malware hidden in a hijacked code package now hunts specifically for Claude and Cursor credentials. That's the tool your ops team used to build the RFI bot.

Attackers pushed a compromised version of the npm package jscrambler that installs an infostealer built to search Claude Desktop, Cursor, Windsurf, VS Code, and Zed config files for API keys and MCP credentials. Any construction firm whose ops or estimating staff has been building internal AI tools with these editors has the same exposure.

ByConstruction AI BriefAbout this publication

Attackers hijacked a legitimate, widely used code-obfuscation package on npm and used it to plant malware that hunts specifically for the credential files stored by Claude Desktop, Cursor, Windsurf, VS Code, and Zed — the same AI coding tools construction ops and estimating staff have been reaching for to build internal RFI bots, submittal trackers, and bid-tab scripts without a dev team. That's a new, more targeted version of a risk this newsletter has flagged before: a self-built AI tool is only as secure as the software supply chain underneath it.

What actually happened?

On July 11, 2026, someone got hold of a valid npm publishing credential for jscrambler, a popular JavaScript obfuscation tool, and used it to push a malicious release, version 8.14.0. Over the next three hours, four more tainted versions followed — 8.16.0, 8.17.0, 8.18.0, and 8.20.0. Each one added an undocumented preinstall hook that silently drops and runs a native binary the moment someone runs npm install, with a separate build for Windows, macOS, and Linux. None of the added files existed in jscrambler's public source code or matched any commit in its GitHub repository, according to researchers at Socket and SafeDep who examined the release.

What does the malware actually steal?

The payload is a Rust infostealer that sweeps the machine and ships everything it finds to a remote server over an encrypted connection. The target list, confirmed by multiple independent security firms, includes:

CategoryWhat's taken
Cloud infrastructureAWS, Azure, and Google Cloud credentials, including CI-runner metadata endpoints
Developer accountsnpm and GitHub tokens
AI coding toolsAPI keys and MCP server credentials from Claude Desktop, Cursor, Windsurf, VS Code, and Zed
Password managerBitwarden vault contents
BrowserSaved passwords and session cookies
MessagingDiscord, Slack, Telegram, and Steam session tokens
Crypto walletsMetaMask, Phantom, and Exodus seed data

The line that matters for construction: this isn't generic malware that happens to catch AI-tool files as a side effect. It's written to specifically go after MCP server credentials — the connection strings and tokens that let an AI coding assistant reach out to a real system, whether that's a database, a cloud bucket, or an API. It's a different entry point than the AI agent that ran a ransomware attack through a self-hosted tool ops teams use to build RFI bots — that risk lived in an unpatched server; this one lives in a poisoned dependency two steps removed from anything your team wrote.

Why does this matter for a firm that's never touched jscrambler directly?

Almost no construction firm has jscrambler in its own toolchain on purpose. That's not the point. The point is what this attack confirms: security researchers are now finding malware engineered specifically to hunt for the credential stores that sit inside Claude Desktop, Cursor, and similar tools. If your firm's ops person or estimator has spent an afternoon in Cursor or Claude Code wiring up a script that pulls from Procore's API, reads a shared drive, or posts to a Slack channel, that script's dependency tree — however small — is now a target class attackers are building tools for. A different open-source package gets hijacked the same way next month, and the credentials sitting in that same config file are the prize either way.

What should an ops team actually do this week?

  • Audit the dependency list on anything built with an AI coding assistant. Run npm audit or a free scanner like Socket before assuming code an AI wrote — including its dependencies — is clean.
  • Rotate any API key or MCP credential stored in Claude Desktop, Cursor, Windsurf, VS Code, or Zed config files, especially if that machine has installed or updated any npm package in the last week.
  • Scope those credentials down. A Procore or cloud-storage token wired into an internal AI tool should be read-only wherever the platform allows it, not a master key that happens to be convenient.
  • Pin dependency versions on anything running unattended, rather than letting npm install pull the latest release automatically.

None of this requires ripping out the internal tools your team has built — the productivity case for them hasn't changed. It requires treating the credential file sitting next to them like what it now is: a named target.

Construction AI Brief publishes new analysis three times a week. Subscribe at constructionaibrief.com.

FAQCommon questions
What happened with the jscrambler npm package?
On July 11, 2026, an attacker used a compromised npm publishing credential to push a malicious version (8.14.0) of jscrambler, a widely used JavaScript obfuscation tool. Over roughly three hours, four more tainted versions followed (8.16.0, 8.17.0, 8.18.0, 8.20.0), each carrying a preinstall hook that silently installs a Rust-built infostealer on Windows, macOS, and Linux.
Does this malware specifically target AI coding tools like Cursor or Claude Desktop?
Yes. Security researchers who reverse-engineered the payload found it explicitly searches for config files belonging to Claude Desktop, Cursor, Windsurf, VS Code, and Zed, pulling out API keys and Model Context Protocol (MCP) server credentials alongside cloud, developer, and password-manager credentials.
Is my construction firm at risk if we've never heard of jscrambler?
Only directly if jscrambler sits somewhere in a project's dependency tree, which most construction-side tools won't have. The real signal isn't this one package — it's that attackers are now writing malware purpose-built to find MCP credentials, meaning any npm-based internal tool your firm has built carries the same category of risk if one of its dependencies is ever compromised the same way.
How was the attack caught, and is it over?
The security firm Socket detected the tainted release about six minutes after it was published and flagged it publicly. jscrambler's maintainers have since published a clean 8.22.0 release. Anyone who installed versions 8.14.0 through 8.20.0 in that window should still treat the machine as compromised and rotate credentials.
What should a GC or sub do if ops or estimating staff built an internal tool with Cursor or Claude Code?
Run a dependency audit (npm audit or a scanner like Socket) on anything built with AI coding assistants rather than assuming AI-generated code has a clean dependency tree, rotate any API keys or MCP credentials stored in those tools' config files, and scope those credentials to read-only access wherever the connected system (Procore, cloud storage, accounting software) allows it.
End of sheet — issue №075
Published · 2026.07.13
Project
Construction AI Brief
Dated
2026.07.13
Sheet
1 / 1
Rev
A
Published independently · constructionaibrief.com · © 2026Facebook·Privacy·About