Scavenger (Malware Family)

Scavenger

aka: scavenger, SCVNGR, scvngr

VTCollection

Scavenger is a stealthy, two-stage malware family first observed in July 2025 following a targeted supply chain attack on the NPM ecosystem. The infection began with a phishing campaign that leveraged a typo-squatted domain (npnjs.com) to impersonate the legitimate NPM login page. The adversaries abused NPM's web-based login flow—akin to device code phishing—to trick a package maintainer into generating an automation access token, which does not expire and can bypass 2FA under certain configurations.

With the stolen credentials, the attackers injected malicious payloads into several trusted NPM packages, including eslint-config-prettier, by modifying their install scripts to execute a DLL loader. This first-stage loader, compiled in Visual Studio, performs anti-VM checks, dynamic API resolution using CRC32 hashing, indirect syscalls to bypass EDR, and string decryption routines. If the environment passes these checks, it executes a second-stage infostealer that targets browser data—particularly from Chromium—such as extension state, cached content, and visited URLs.

The malware communicates with its command and control infrastructure using libcurl and XXTEA-encrypted payloads over HTTP(S), implementing challenge-response integrity checks during session initialization. Development artifacts like a leftover PDB path and operational overlaps have linked Scavenger to other campaigns, including one involving an infected BeamNG game binary, further suggesting a broader and evolving threat infrastructure.

References

2025-07-28 ⋅ Invoke RE ⋅ Josh Reynolds
Scavenger Malware Distributed via num2words PyPI Supply Chain Compromise
Scavenger

2025-07-24 ⋅ Dr.Web ⋅ Dr.Web
Gamers, get ready: scammers disguise cryptocurrency and password-stealing Scavenger trojans as cheats and mods
Scavenger

2025-07-20 ⋅ Invoke RE ⋅ cyb3rjerry, Josh Reynolds
Install Linters, Get Malware - DevSecOps Speedrun Edition
Scavenger

2025-07-20 ⋅ Invoke RE ⋅ cyb3rjerry, Josh Reynolds
Scavenger Malware Distributed via eslint-config-prettier NPM Package Supply Chain Compromise
Scavenger

2025-07-20 ⋅ Utkonos ⋅ Utkonos
Supply Chain Trojan sc_trojan_jwjf
Scavenger

Yara Rules

[TLP:WHITE] win_scavenger_auto (20260504 | Detects win.scavenger.)

rule win_scavenger_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.scavenger."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.scavenger"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4889842480000000 488d442421 4889842488000000 0fb6442422 88442423 488b442450 }
            // n = 6, score = 900
            //   4889842480000000     | mov                 word ptr [ebx + 0x1c], 0x20
            //   488d442421           | dec                 eax
            //   4889842488000000     | lea                 esi, [0x498fa]
            //   0fb6442422           | mov                 ebp, 4
            //   88442423             | inc                 ebp
            //   488b442450           | test                ah, ah

        $sequence_1 = { 488b9424f8000000 488b8c24e8000000 e8???????? 90 }
            // n = 4, score = 900
            //   488b9424f8000000     | xor                 eax, 0xffffffff
            //   488b8c24e8000000     | dec                 eax
            //   e8????????           |                     
            //   90                   | mov                 eax, dword ptr [ebp + 0x2db0]

        $sequence_2 = { 488bc1 0fb600 85c0 7413 }
            // n = 4, score = 900
            //   488bc1               | mov                 eax, dword ptr [ebp + 0x1fb8]
            //   0fb600               | dec                 eax
            //   85c0                 | sub                 eax, 0x10
            //   7413                 | dec                 eax

        $sequence_3 = { 488b842450010000 488b4c2430 4803c8 488bc1 488b4c2438 0fb6542420 881401 }
            // n = 7, score = 900
            //   488b842450010000     | mov                 dword ptr [ebp + 0x1908], eax
            //   488b4c2430           | dec                 eax
            //   4803c8               | mov                 eax, dword ptr [ebp + 0x5c18]
            //   488bc1               | dec                 eax
            //   488b4c2438           | sub                 eax, 4
            //   0fb6542420           | jmp                 0x1ad8
            //   881401               | dec                 eax

        $sequence_4 = { 488908 488b442450 488b4c2428 488908 486b44247820 }
            // n = 5, score = 900
            //   488908               | mov                 eax, dword ptr [esp + 0x140]
            //   488b442450           | dec                 eax
            //   488b4c2428           | mov                 eax, dword ptr [eax]
            //   488908               | dec                 eax
            //   486b44247820         | mov                 dword ptr [esp + 0x140], eax

        $sequence_5 = { 4883ec28 488b442430 4889442408 488b442430 488378180f 760a }
            // n = 6, score = 900
            //   4883ec28             | dec                 eax
            //   488b442430           | mov                 dword ptr [ebp + 0x39d0], eax
            //   4889442408           | call                dword ptr [ebp + 0x44b8]
            //   488b442430           | dec                 eax
            //   488378180f           | mov                 eax, dword ptr [ebp + 0x11a48]
            //   760a                 | mov                 byte ptr [eax], 0x4c

        $sequence_6 = { 488bc1 48898424b8000000 488bbc24b8000000 488bb42448010000 488b8c2450010000 f3a4 }
            // n = 6, score = 900
            //   488bc1               | mov                 dword ptr [eax], ecx
            //   48898424b8000000     | mov                 eax, dword ptr [esp + 0x38]
            //   488bbc24b8000000     | and                 eax, 1
            //   488bb42448010000     | dec                 eax
            //   488b8c2450010000     | mov                 dword ptr [eax], ecx
            //   f3a4                 | dec                 eax

        $sequence_7 = { 4889442450 488b442450 4c8bc0 488b542478 }
            // n = 4, score = 900
            //   4889442450           | arpl                word ptr [ebp + 0x630], ax
            //   488b442450           | movsx               eax, byte ptr [ebp + eax + 0x12480]
            //   4c8bc0               | add                 eax, 0x20
            //   488b542478           | dec                 eax

        $sequence_8 = { 488b4008 482bc1 48c1f805 4889442440 488b442440 }
            // n = 5, score = 900
            //   488b4008             | rep stosb           byte ptr es:[edi], al
            //   482bc1               | dec                 eax
            //   48c1f805             | lea                 eax, [0x153b50]
            //   4889442440           | dec                 eax
            //   488b442440           | mov                 dword ptr [esp + 0x28], eax

        $sequence_9 = { 48c744243000000000 eb35 48817c242800100000 7211 488b4c2428 e8???????? 4889442430 }
            // n = 7, score = 900
            //   48c744243000000000     | jl    0x1be0
            //   eb35                 | dec                 eax
            //   48817c242800100000     | lea    edx, [0x7508b]
            //   7211                 | dec                 eax
            //   488b4c2428           | mov                 ecx, ebx
            //   e8????????           |                     
            //   4889442430           | test                eax, eax

    condition:
        7 of them and filesize < 2992128
}

[TLP:WHITE] win_scavenger_w0 (20250719 | Matches Scavenger DLLs related to the ones found in the Prettier NPM supply chain compromise.)

rule win_scavenger_w0 {

    meta:
        author = "Malware Utkonos"
        date = "2025-07-19"
        description = "Matches Scavenger DLLs related to the ones found in the Prettier NPM supply chain compromise."
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.scavenger"
        malpedia_rule_date = "20250719"
        malpedia_hash = ""
        malpedia_version = "20250719"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $op = { b9c4c58fcd 483bc1 75 }
            // 18000d555  b9c4c58fcd         mov     ecx, 0xcd8fc5c4
            // 18000d55a  483bc1             cmp     rax, rcx
            // 18000d55d  7514               jne     0x18000d573

    condition:
        uint16(0) == 0x5a4d and uint32(uint32(0x3c)) == 0x00004550 and $op
}

Download all Yara Rules

Scavenger Propose Change

References

Yara Rules

Scavenger