Scavenger Propose Change

Scavenger is a stealthy, two-stage malware family first observed in July 2025 following a targeted supply chain attack on the NPM ecosystem. The infection began with a phishing campaign that leveraged a typo-squatted domain (npnjs.com) to impersonate the legitimate NPM login page. The adversaries abused NPM's web-based login flow—akin to device code phishing—to trick a package maintainer into generating an automation access token, which does not expire and can bypass 2FA under certain configurations.

With the stolen credentials, the attackers injected malicious payloads into several trusted NPM packages, including eslint-config-prettier, by modifying their install scripts to execute a DLL loader. This first-stage loader, compiled in Visual Studio, performs anti-VM checks, dynamic API resolution using CRC32 hashing, indirect syscalls to bypass EDR, and string decryption routines. If the environment passes these checks, it executes a second-stage infostealer that targets browser data—particularly from Chromium—such as extension state, cached content, and visited URLs.

The malware communicates with its command and control infrastructure using libcurl and XXTEA-encrypted payloads over HTTP(S), implementing challenge-response integrity checks during session initialization. Development artifacts like a leftover PDB path and operational overlaps have linked Scavenger to other campaigns, including one involving an infected BeamNG game binary, further suggesting a broader and evolving threat infrastructure.

References

There is no Yara-Signature yet.