Recently, five popular NPM (Node Package Manager) packages were compromised and modified to deliver a malicious DLL, dubbed “Scavenger”. The malware pushed via these compromised NPM packages executes in two stages: an initial first-stage loader, followed by a second-stage infostealer.
NPM is the package manager for the Node.js JavaScript platform, which allows developers to share and manage JavaScript libraries and tools. By compromising these packages, attackers are able to perform supply chain attacks that have widespread impact and can be challenging to identify.
Here, we outline this attack and explain how the CrowdStrike Falcon® platform detects and successfully prevents the malicious NPM packages and Scavenger malware observed within this campaign.
Supply Chain Attack Overview
On July 18, 2025, an unknown adversary was observed modifying the contents of multiple NPM packages to further actions on objectives. This access was made possible following a successful credential phishing campaign targeting an NPM package maintainer that leveraged a spoofed login page and typosquatted domain of the NPM website.
In all, five NPM packages maintained by the compromised account were modified and malicious versions of those packages were published the same day. The most popular package, eslint-config-prettier, has over 30 million downloads per week, and its compromise was assigned CVE-2025-54313 with a CVSS severity rating of High.
The following specific packages and their associated versions were published as part of this campaign:
eslint-config-prettier(8.10.1, 9.1.1, 10.1.6, 10.1.7)eslint-plugin-prettier(4.2.2, 4.2.3)synckit(0.11.9)@pkgr/core(0.2.8)napi-postinstall(0.3.1)
The altered packages included the install script install.js and the Scavenger DLL node-gyp.dll. The script is executed upon installation of the packages and spawns rundll32.exe to load the DLL node-gyp.dll.
The Scavenger DLL reads and exfiltrates the contents of the user’s NPM configuration file .npmrc, which often contains NPM authentication and access tokens. Additionally, the Scavenger DLL writes a second-stage infostealer payload to disk, which ultimately targets the victims’ browser data, including visited URLs and cached content.
The affected packages have been deprecated on the NPM repository, and clean versions have been published by the maintainer.
Falcon Platform Prevents Scavenger Malware
CrowdStrike employs a layered approach for malware detection using machine learning and indicators of attack (IOAs). The Falcon platform prevented this attack in its initial stage by detecting and quarantining the Scavenger DLL. The rundll32.exe process spawned by install.js was also prevented by behavior-based detections (IOAs).
Customers should ensure their prevention policies are properly configured with the Suspicious Processes toggle enabled.
