A Package Meant to Improve Code Secretly Injected Malware into User Projects
Even a single phishing email can compromise the security of an entire ecosystem.
Even a single phishing email can compromise the security of an entire ecosystem.
A major incident has shaken the npm ecosystem: the widely used package eslint-config-prettier suddenly received an update with no corresponding changes on GitHub. Developers quickly grew suspicious — and rightfully so. The package author later admitted to being phished, and their account had been compromised.
The attackers took advantage of this access to publish infected versions of not just eslint-config-prettier, but also other popular packages such as eslint-plugin-prettier, snyckit, @pkgr/core, and napi-postinstall. Since these packages are commonly embedded in build chains, the malware was automatically pulled into countless systems upon dependency installation.
The malicious code was inserted via an install.js script that launched a DLL file carrying a payload named Scavenger — a tool designed for stealth and anti-analysis. Scavenger performed checks to avoid running in virtual machines, searched for debugging or sandboxing tools, obfuscated system calls, and encrypted internal strings, making it extremely difficult to detect even by advanced antivirus or monitoring solutions.
Once active, Scavenger connected to C2 servers to receive additional commands. Its second stage involved stealing browser data from Chromium-based browsers — including browsing history, extensions, session data, and authentication tokens. These could then be exploited to hijack user accounts and launch further attacks.
What drew further attention were the build artifacts found in the compromised packages: folder names and debug paths referencing "SCVNGR", as well as poorly implemented calls to system utilities. This suggests either a rushed operation or a lack of sophistication, despite the complexity of the malware itself.
The initial compromise occurred via a phishing email that tricked the package maintainer into using device code authentication — a technique that can bypass two-factor authentication. Security researchers note the attack was well-structured: starting with phishing, followed by silent package poisoning on npm, and culminating in deep data exfiltration.
This incident serves as a stark reminder: even the most trusted libraries can instantly become a gateway for attacks.