Scavenger Malware Hijacks Popular npm Packages to Target Developers

A sophisticated supply chain attack involving the “Scavenger” malware has recently rocked the JavaScript developer community.

Developers discovered unauthorized releases for the widely used eslint-config-prettier npm package, even though these changes did not appear in the official GitHub repository.

It was soon confirmed by the package maintainer that their npm account had been compromised, enabling threat actors to publish malicious versions of several packages, including eslint-config-prettier, eslint-plugin-prettier, snyckit, @pkgr/core, and napi-postinstall in specific versions.

Infection Mechanism

Investigation revealed that the compromised versions shipped a malicious install.js script.

Upon installation on Windows systems, this script executed a DLL named node-gyp.dll via rundll32.exe, invoking the logDiskSpace function.

The DLL, acting as the “Scavenger Loader,” was compiled the same day as the attack, hinting at a highly coordinated operation.

The loader is packed with anti-analysis measures, including detection of virtual machines (by hunting for SMBIOS signatures related to VMware or QEMU), process module scans for well-known antivirus tools and sandboxing DLLs (like Avast’s snxhk.dll, Sandboxie’s SbieDll.dll, and others), and refusal to execute if the system appears to be under analysis or emulation.

It uses indirect syscalls and function-level CRC32 hashing to complicate reverse engineering, and its routines dynamically resolve imports and decrypt strings stored with custom XOR and XXTEA encryption algorithms.

Chrome Data Targeting

Once past this filtering, the loader deploys a second stage: the Scavenger infostealer. Like its delivery loader, this component is heavily obfuscated and employs many of the same anti-debugging methods, function hashing, and custom string obfuscation.

Notably, it targets Chromium-based browsers, looking for internal artifacts such as Extensions, ServiceWorkerCache, DawnWebGPUCache, and Visited Links.

This configuration strongly suggests an intent to steal authentication tokens, session data, and browsing history, increasing the risk of credential theft and session hijacking for developers who installed the poisoned libraries.

Communication with attacker-controlled servers is handled via HTTPS and HTTP, with all payloads transmitted in base64 and encrypted using XXTEA.

The malware verifies server authenticity by expecting campaign IDs and responding to handshake integrity checks.

Network traffic is sent to a range of domains some previously seen in malware attached to the BeamNG gaming community indicating possible overlap or reuse by these actors.

Further analysis uncovered telltale signs confirming the link between the npm campaign and prior attacks.

For example, one lighter Scavenger variant left behind a debug path referencing the “scavenger” name and utilized a simple WinExec-initiated cURL download to fetch additional payloads. This, along with overlaps in command and control domain use, solidifies the attribution.

Security researchers and the npm ecosystem maintainers responded by removing the affected package versions and investigating related accounts.

The community continues to monitor post-compromise indicators and encourages developers to review dependencies installed during the incident window.

Indicators of Compromise

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.