On July 22, 2025, cybersecurity researchers highlighted the proliferation of Scavenger malware, a stealthy threat embedded in popular npm packages to target developers and facilitate supply chain attacks. First observed following a phishing-based compromise of package maintainers, this malware has infected packages like eslint-config-prettier, stealing credentials and enabling remote access. Shared by users like @R4yt3d on X, the campaign underscores vulnerabilities in open-source ecosystems, urging developers to vet dependencies rigorously. With over 30 million weekly downloads for affected packages, the potential impact is vast. Below, we detail the malware, its methods, tactics, implications, and mitigation strategies.
Scavenger is a two-stage, Windows-focused malware family designed for credential theft and persistence. The first stage acts as a downloader, fetching the second-stage payload that extracts sensitive data like AWS keys, GitHub tokens, and browser credentials. Named "Scavenger" due to a debug string in one sample, it employs obfuscation techniques like string encryption and anti-analysis checks to evade detection. The malware communicates with C2 servers for exfiltration, using hardcoded domains like update.microsoftedge[.]live.Affected packages include eslint-config-prettier (compromised versions 9.1.2 and later), with unauthorized releases injecting malicious scripts. Other packages like the 'is' utility were also hijacked in this expanding campaign. The attack began around July 18, 2025, after maintainers' tokens were phished.
The primary vector is a supply chain attack: attackers phish npm maintainers to steal publishing tokens, then release malicious versions of popular packages. Developers installing these packages execute embedded scripts that download Scavenger from GitHub repositories or malicious domains.Steps include:
This method echoes past attacks on npm, but Scavenger's focus on developer tools amplifies risks.
Scavenger uses advanced evasion: the first stage checks for debuggers and virtual environments before downloading the second stage. It steals from browsers (Chrome, Edge), cloud services (AWS, Azure), and version control systems (GitHub, GitLab). Exfiltrated data supports further compromises, like deploying backdoors or ransomware.The campaign evolved quickly, with multiple packages targeted post-initial compromise. No attribution to specific actors, but tactics resemble state-sponsored or financially motivated groups. Analysis by Invoke RE and @cyb3rjerry revealed debug artifacts aiding naming and reversal.
This attack threatens the npm ecosystem, with potential for widespread credential theft leading to data breaches or further supply chain exploits. Developers risk exposing corporate networks, amplifying impacts on organizations reliant on open-source. It highlights maintainer vulnerabilities, eroding trust in repositories and necessitating stricter security.
To protect against Scavenger:
npm has revoked compromised tokens and removed malicious versions, but vigilance is key. For IOCs and analysis, consult Invoke RE's blog or Malpedia. As open-source threats rise, proactive vetting safeguards the ecosystem.