npm Supply Chain Attack Exposes Devs to “Scavenger” Malware Via Phished Accounts
A major incident has rocked the npm ecosystem: the widely-used package eslint-config-prettier suddenly received an update devoid of any corresponding changes on GitHub. Developers quickly grew suspicious—and with good reason. The package’s maintainer later revealed that he had fallen victim to a phishing attack, resulting in the compromise of his account.
The attackers exploited this access to publish tainted versions not only of eslint-config-prettier, but also of several other popular packages including eslint-plugin-prettier, snyckit, @pkgr/core, and napi-postinstall. These packages are deeply integrated into the build pipelines of numerous projects, making the attack particularly insidious—malicious code was injected into systems automatically during dependency installation.
The malware was introduced via an install.js script that executed a DLL payload. This malicious program, dubbed Scavenger, was engineered for stealth and resilience against analysis. It performed checks to detect virtual machines, hunted for debugging and sandboxing tools, obfuscated system calls, and encrypted internal strings. Such measures rendered it exceptionally elusive, even for advanced antivirus engines and monitoring systems.
Upon activation, Scavenger established a connection with command-and-control servers to retrieve additional instructions. In its second phase, it harvested sensitive data from Chromium-based browsers: browsing history, extensions, session tokens, and authentication credentials. This trove of information could then be weaponized for account hijacking and follow-on attacks against broader infrastructure.
Particular scrutiny fell on the build artifacts—infected versions contained folder names and debugging paths referencing “SCVNGR”, as well as poorly crafted system utility calls. These breadcrumbs suggest haste or insufficient sophistication, despite the overall complexity of the malware.
The initial breach occurred through a counterfeit email, in which the attackers employed device-code authorization—a method that bypasses two-factor authentication. Experts note that the operation was meticulously orchestrated: beginning with phishing, followed by a seamless npm package swap, and culminating in the silent exfiltration of user data.
This episode serves as yet another stark reminder: even the most trusted libraries can, without warning, become conduits for devastating attacks.
