The well-known npm package deal eslint-config-prettier was launched with out authorization, in keeping with a number of GitHub customers, despite the fact that its repository didn’t comprise any corresponding code adjustments.
The maintainer later confirmed through social media that their npm account was compromised by means of a phishing e-mail, affecting a number of packages together with eslint-config-prettier variations 8.10.1, 9.1.1, 10.1.6, and 10.1.7; eslint-plugin-prettier variations 4.2.2 and 4.2.3; snyckit model 0.11.9; @pkgr/core model 0.2.8; and napi-postinstall model 0.3.1.
Compromise Particulars
This supply-chain assault distributed a novel malware dubbed “Scavenger” attributable to recurring strings like “SCVNGR” in its variants.
The an infection vector targets Home windows programs through an set up.js script within the compromised packages, which executes a operate known as logDiskSpace.
This operate checks for the win32 platform and spawns a toddler course of utilizing rundll32.exe to load a malicious DLL named node-gyp.dll, hashed as c68e42f416f482d43653f36cd14384270b54b68d6496a8e34ce887687de5b441.
Compiled on the identical day because the package deal distribution, this DLL acts as a loader, initiating a separate thread for its core operations.
The phishing marketing campaign itself, involving system code strategies, was detailed individually by safety researcher Rad in a writeup on npm supply-chain assaults, highlighting how attackers gained preliminary entry.
Malware Evaluation
Scavenger’s loader, written in Visible Studio C++, employs subtle anti-analysis measures to evade detection.
In accordance with the Report, it performs anti-VM checks by querying the uncooked SMBIOS firmware desk through GetSystemFirmwareTable, scanning for signatures like “VMware”, “qemu”, or “QEMU”.
Extra defenses embody enumerating course of modules for antivirus-related DLLs equivalent to snxhk.dll (Avast), SbieDll.dll (Sandboxie), and cmdvrt32.dll (Comodo), in addition to instruments like vehdebug-x86_64.dll (CheatEngine).
It verifies system attributes, guaranteeing greater than three processors through NtQuerySystemInformation and confirming non-console execution with WriteConsoleW. If any examine fails, it induces a null-pointer crash.
The malware dynamically resolves capabilities utilizing a CRC32 hashing routine on loaded modules from the Course of Surroundings Block (PEB), changing Unicode DLL names to ASCII and computing hashes with out caching for added obfuscation.
It unhooks APIs like NtSetInformationThread and NtQuerySystemInformation through oblique syscalls, patching directions to bypass EDR hooks. Strings are encrypted with XOR keys like 0x39541b2f8f3ef92d and decrypted on-the-fly.
Communications with command-and-control (C2) servers use libcurl and XXTEA encryption (identifiable by DELTA 0x9e3779b9), sending base64-encoded payloads to endpoints like /c/k2 for marketing campaign IDs and /c/v for integrity checks.
The second-stage stealer mirrors these strategies, focusing on Chromium artifacts equivalent to Extensions, ServiceWorkerCache, DawnWebGPUCache, and Visited Hyperlinks for knowledge exfiltration, doubtlessly harvesting authentication tokens, session knowledge, or shopping historical past.
Variants hyperlink to prior campaigns, together with a BeamNG executable an infection, with slip-ups like uncovered PDB paths (C:UsersuserDesktopXscavengerscavenger-mainscavenger-clientx64Releasedropper-cmd.pdb) confirming the “Scavenger” identify and sloppy WinExec calls executing curl instructions to fetch further payloads.
Indicators of Compromise
| Class | IOCs |
|---|---|
| URLs | https://ac7b2eda6f1.datahog.su, https://datahog.su, https://datacrab-analytics.com, https://datalytica.su, https://smartscreen-api.com, https://dieorsuffer.com, https://firebase.su, https://fileservice.gtainside.com/fileservice/downloads/ftpk/1743451692_Visualpercent20Carpercent20Spawnerpercent20v3.4.zip |
| Hashes | 877f40dda3d7998abda1f65364f50efb3b3aebef9020685f57f1ce292914feae, 9ec86514d5993782d455a4c9717ec4f06d0dfcd556e8de6cf0f8346b8b8629d4, 0254abb7ce025ac844429589e0fec98a84ccefae38e8e9807203438e2f387950, dd4c4ee21009701b4a29b9f25634f3eb0f3b7f4cc1f00b98fc55d784815ef35b, c4504c579025dcd492611f3a175632e22c2d3b881fda403174499acd6ec39708, 1aeab6b568c22d11258fb002ff230f439908ec376eb87ed8e24d102252c83a6e, c3536b736c26cd5464c6f53ce8343d3fe540eb699abd05f496dcd3b8b47c5134, 90291a2c53970e3d89bacce7b79d5fa540511ae920dd4447fc6182224bbe05c5, 8c8965147d5b39cad109b578ddb4bfca50b66838779e6d3890eefc4818c79590, 75c0aa897075a7bfa64d8a55be636a6984e2d1a5a05a54f0f01b0eb4653e9c7a, 30295311d6289310f234bfff3d5c7c16fd5766ceb49dcb0be8bc33c8426f6dc4, c68e42f416f482d43653f36cd14384270b54b68d6496a8e34ce887687de5b441, 80c1e732c745a12ff6623cbf51a002aa4630312e5d590cd60e621e6d714e06de, d845688c4631da982cb2e2163929fe78a1d87d8e4b2fe39d2a27c582cfed3e15 |
Get Free Final SOC Necessities Guidelines Earlier than you construct, purchase, or swap your SOC for 2025 - Obtain Now
