A sophisticated supply chain attack targeting developers emerged on Friday, July 18, 2025, when cybercriminals compromised several popular npm packages, including the widely used eslint-config-prettier package.
The attack, dubbed “Scavenger” by security researchers due to multiple references to “SCVNGR” strings in the malware variants, represents a novel approach to software supply chain compromise that specifically targets Windows-based development environments.
The compromise began when attackers successfully phished the maintainer of eslint-config-prettier, gaining access to their npm account and publishing malicious versions without corresponding changes to the GitHub repository.
Users quickly noticed the discrepancy between npm releases and GitHub commits, prompting an investigation that revealed the extent of the breach.
Technical Infection Vector and Payload Delivery
The malicious packages contained an install.js file with a seemingly innocent logDiskSpace() function that executed during npm installation.
This function specifically targeted Windows systems, using obfuscated JavaScript to spawn a rundll32.exe process that loaded a malicious DLL named node-gyp.dll.
The DLL, compiled on the same day as the attack, served as a sophisticated loader designed to evade detection and deploy the primary payload.
The Scavenger loader employed multiple anti-analysis techniques, including virtual machine detection through SMBIOS firmware table enumeration, antivirus detection by checking for specific DLLs, and processor count verification to avoid sandbox environments.
The malware also implemented indirect syscalls to bypass endpoint detection and response (EDR) solutions, demonstrating advanced technical sophistication.
Security researchers discovered that the loader used a custom CRC32 hashing algorithm to dynamically resolve Windows API functions dynamically, making static analysis more challenging.
The malware also employed XXTEA encryption for command-and-control communications and used XOR string obfuscation to hide its functionality.
Widespread Impact and Browser Targeting
The attack affected multiple npm packages beyond eslint-config-prettier, including eslint-plugin-prettier, snyckit, @pkgr/core, and napi-postinstall, with various version numbers compromised.
The second-stage payload specifically targeted Chromium-based browsers, seeking to extract sensitive data from extensions, service worker caches, and browsing history.
Analysis revealed that the malware was designed to steal authentication tokens, private keys, and session data from popular browser-based applications and security extensions, such as password managers.
The attack’s sophistication suggests that experienced threat actors developed it with a deep understanding of both npm ecosystem vulnerabilities and Windows internals.
The compromise represents a significant escalation in supply chain attacks targeting developers, as the affected packages had millions of downloads.
Security researchers have identified connections between this campaign and previous attacks, including malware distribution through gaming platforms like BeamNG, indicating a broader, coordinated effort by the threat actors.
Organizations are advised to audit their npm dependencies immediately, implement package integrity checks, and monitor for indicators of compromise, including the identified command-and-control domains and file hashes provided by security researchers.
IOCs
- 877f40dda3d7998abda1f65364f50efb3b3aebef9020685f57f1ce292914feae
- 9ec86514d5993782d455a4c9717ec4f06d0dfcd556e8de6cf0f8346b8b8629d4
- 0254abb7ce025ac844429589e0fec98a84ccefae38e8e9807203438e2f387950
