Scavenger Malware Compromises Popular npm Packages to Target Developers

The well-known npm package eslint-config-prettier was released without authorization, according to several GitHub users, even though its repository did not contain any corresponding code changes.

The maintainer later confirmed via social media that their npm account was compromised through a phishing email, affecting several packages including eslint-config-prettier versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7; eslint-plugin-prettier versions 4.2.2 and 4.2.3; snyckit version 0.11.9; @pkgr/core version 0.2.8; and napi-postinstall version 0.3.1.

Compromise Details

This supply-chain attack distributed a novel malware dubbed “Scavenger” due to recurring strings like “SCVNGR” in its variants.

The infection vector targets Windows systems via an install.js script in the compromised packages, which executes a function called logDiskSpace.

This function checks for the win32 platform and spawns a child process using rundll32.exe to load a malicious DLL named node-gyp.dll, hashed as c68e42f416f482d43653f36cd14384270b54b68d6496a8e34ce887687de5b441.

Compiled on the same day as the package distribution, this DLL acts as a loader, initiating a separate thread for its core operations.

The phishing campaign itself, involving device code techniques, was detailed separately by security researcher Rad in a writeup on npm supply-chain attacks, highlighting how attackers gained initial access.

Malware Analysis

Scavenger’s loader, written in Visual Studio C++, employs sophisticated anti-analysis measures to evade detection.

According to the Report, it performs anti-VM checks by querying the raw SMBIOS firmware table via GetSystemFirmwareTable, scanning for signatures like “VMware”, “qemu”, or “QEMU”.

Additional defenses include enumerating process modules for antivirus-related DLLs such as snxhk.dll (Avast), SbieDll.dll (Sandboxie), and cmdvrt32.dll (Comodo), as well as tools like vehdebug-x86_64.dll (CheatEngine).

It verifies system attributes, ensuring more than three processors via NtQuerySystemInformation and confirming non-console execution with WriteConsoleW. If any check fails, it induces a null-pointer crash.

The malware dynamically resolves functions using a CRC32 hashing routine on loaded modules from the Process Environment Block (PEB), converting Unicode DLL names to ASCII and computing hashes without caching for added obfuscation.

It unhooks APIs like NtSetInformationThread and NtQuerySystemInformation via indirect syscalls, patching instructions to bypass EDR hooks. Strings are encrypted with XOR keys like 0x39541b2f8f3ef92d and decrypted on-the-fly.

Communications with command-and-control (C2) servers use libcurl and XXTEA encryption (identifiable by DELTA 0x9e3779b9), sending base64-encoded payloads to endpoints like /c/k2 for campaign IDs and /c/v for integrity checks.

The second-stage stealer mirrors these techniques, targeting Chromium artifacts such as Extensions, ServiceWorkerCache, DawnWebGPUCache, and Visited Links for data exfiltration, potentially harvesting authentication tokens, session data, or browsing history.

Variants link to prior campaigns, including a BeamNG executable infection, with slip-ups like exposed PDB paths (C:UsersuserDesktopXscavengerscavenger-mainscavenger-clientx64Releasedropper-cmd.pdb) confirming the “Scavenger” name and sloppy WinExec calls executing curl commands to fetch additional payloads.

Indicators of Compromise

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now