The well-known npm bundle eslint-config-prettier was launched with out authorization, based on a number of GitHub customers, although its repository didn’t comprise any corresponding code modifications.
The maintainer later confirmed through social media that their npm account was compromised by way of a phishing e-mail, affecting a number of packages together with eslint-config-prettier variations 8.10.1, 9.1.1, 10.1.6, and 10.1.7; eslint-plugin-prettier variations 4.2.2 and 4.2.3; snyckit model 0.11.9; @pkgr/core model 0.2.8; and napi-postinstall model 0.3.1.
Compromise Particulars
This supply-chain assault distributed a novel malware dubbed “Scavenger” attributable to recurring strings like “SCVNGR” in its variants.
The an infection vector targets Home windows methods through an set up.js script within the compromised packages, which executes a operate known as logDiskSpace.
This operate checks for the win32 platform and spawns a baby course of utilizing rundll32.exe to load a malicious DLL named node-gyp.dll, hashed as c68e42f416f482d43653f36cd14384270b54b68d6496a8e34ce887687de5b441.
Compiled on the identical day because the bundle distribution, this DLL acts as a loader, initiating a separate thread for its core operations.
The phishing marketing campaign itself, involving system code methods, was detailed individually by safety researcher Rad in a writeup on npm supply-chain assaults, highlighting how attackers gained preliminary entry.
Malware Evaluation
Scavenger’s loader, written in Visible Studio C++, employs subtle anti-analysis measures to evade detection.
In line with the Report, it performs anti-VM checks by querying the uncooked SMBIOS firmware desk through GetSystemFirmwareTable, scanning for signatures like “VMware”, “qemu”, or “QEMU”.
Extra defenses embrace enumerating course of modules for antivirus-related DLLs resembling snxhk.dll (Avast), SbieDll.dll (Sandboxie), and cmdvrt32.dll (Comodo), in addition to instruments like vehdebug-x86_64.dll (CheatEngine).
It verifies system attributes, making certain greater than three processors through NtQuerySystemInformation and confirming non-console execution with WriteConsoleW. If any examine fails, it induces a null-pointer crash.
The malware dynamically resolves capabilities utilizing a CRC32 hashing routine on loaded modules from the Course of Surroundings Block (PEB), changing Unicode DLL names to ASCII and computing hashes with out caching for added obfuscation.
It unhooks APIs like NtSetInformationThread and NtQuerySystemInformation through oblique syscalls, patching directions to bypass EDR hooks. Strings are encrypted with XOR keys like 0x39541b2f8f3ef92d and decrypted on-the-fly.
Communications with command-and-control (C2) servers use libcurl and XXTEA encryption (identifiable by DELTA 0x9e3779b9), sending base64-encoded payloads to endpoints like /c/k2 for marketing campaign IDs and /c/v for integrity checks.
The second-stage stealer mirrors these methods, focusing on Chromium artifacts resembling Extensions, ServiceWorkerCache, DawnWebGPUCache, and Visited Hyperlinks for knowledge exfiltration, probably harvesting authentication tokens, session knowledge, or shopping historical past.
Variants hyperlink to prior campaigns, together with a BeamNG executable an infection, with slip-ups like uncovered PDB paths (C:UsersuserDesktopXscavengerscavenger-mainscavenger-clientx64Releasedropper-cmd.pdb) confirming the “Scavenger” title and sloppy WinExec calls executing curl instructions to fetch further payloads.
Indicators of Compromise
| Class | IOCs |
|---|---|
| URLs | https://ac7b2eda6f1.datahog.su, https://datahog.su, https://datacrab-analytics.com, https://datalytica.su, https://smartscreen-api.com, https://dieorsuffer.com, https://firebase.su, https://fileservice.gtainside.com/fileservice/downloads/ftpk/1743451692_Visualpercent20Carpercent20Spawnerpercent20v3.4.zip |
| Hashes | 877f40dda3d7998abda1f65364f50efb3b3aebef9020685f57f1ce292914feae, 9ec86514d5993782d455a4c9717ec4f06d0dfcd556e8de6cf0f8346b8b8629d4, 0254abb7ce025ac844429589e0fec98a84ccefae38e8e9807203438e2f387950, dd4c4ee21009701b4a29b9f25634f3eb0f3b7f4cc1f00b98fc55d784815ef35b, c4504c579025dcd492611f3a175632e22c2d3b881fda403174499acd6ec39708, 1aeab6b568c22d11258fb002ff230f439908ec376eb87ed8e24d102252c83a6e, c3536b736c26cd5464c6f53ce8343d3fe540eb699abd05f496dcd3b8b47c5134, 90291a2c53970e3d89bacce7b79d5fa540511ae920dd4447fc6182224bbe05c5, 8c8965147d5b39cad109b578ddb4bfca50b66838779e6d3890eefc4818c79590, 75c0aa897075a7bfa64d8a55be636a6984e2d1a5a05a54f0f01b0eb4653e9c7a, 30295311d6289310f234bfff3d5c7c16fd5766ceb49dcb0be8bc33c8426f6dc4, c68e42f416f482d43653f36cd14384270b54b68d6496a8e34ce887687de5b441, 80c1e732c745a12ff6623cbf51a002aa4630312e5d590cd60e621e6d714e06de, d845688c4631da982cb2e2163929fe78a1d87d8e4b2fe39d2a27c582cfed3e15 |
Get Free Final SOC Necessities Guidelines Earlier than you construct, purchase, or swap your SOC for 2025 - Obtain Now
