HOMETHREATSScavenger
MALWARE FAMILY

Scavenger

Internal ID: win.scavenger
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Scavenger is a stealthy, two-stage malware family first observed in July 2025 following a targeted supply chain attack on the NPM ecosystem. The infection began with a phishing campaign that leveraged a typo-squatted domain (npnjs.com) to impersonate the legitimate NPM login page. The adversaries abused NPM's web-based login flow—akin to device code phishing—to trick a package maintainer into generating an automation access token, which does not expire and can bypass 2FA under certain configurations.

With the stolen credentials, the attackers injected malicious payloads into several trusted NPM packages, including eslint-config-prettier, by modifying their install scripts to execute a DLL loader. This first-stage loader, compiled in Visual Studio, performs anti-VM checks, dynamic API resolution using CRC32 hashing, indirect syscalls to bypass EDR, and string decryption routines. If the environment passes these checks, it executes a second-stage infostealer that targets browser data—particularly from Chromium—such as extension state, cached content, and visited URLs.

The malware communicates with its command and control infrastructure using libcurl and XXTEA-encrypted payloads over HTTP(S), implementing challenge-response integrity checks during session initialization. Development artifacts like a leftover PDB path and operational overlaps have linked Scavenger to other campaigns, including one involving an infected BeamNG game binary, further suggesting a broader and evolving threat infrastructure.

Threat Analysis

Scavenger is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.

External References

Quick Facts

TypeMalware Family
Aliases1

Also Known As

win.scavenger

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.