CrowdStrike Falcon Prevents Supply Chain Attack Involving Compromised NPM Packages

Recently, five popular NPM (Node Package Manager) packages were compromised and modified to deliver a malicious DLL, dubbed “Scavenger”. The malware pushed via these compromised NPM packages executes in two stages: an initial first-stage loader, followed by a second-stage infostealer. 

NPM is the package manager for the Node.js JavaScript platform, which allows developers to share and manage JavaScript libraries and tools. By compromising these packages, attackers are able to perform supply chain attacks that have widespread impact and can be challenging to identify.

Here, we outline this attack and explain how the CrowdStrike Falcon® platform detects and successfully prevents the malicious NPM packages and Scavenger malware observed within this campaign.

Supply Chain Attack Overview

On July 18, 2025, an unknown adversary was observed modifying the contents of multiple NPM packages to further actions on objectives. This access was made possible following a successful credential phishing campaign targeting an NPM package maintainer that leveraged a spoofed login page and typosquatted domain of the NPM website.

In all, five NPM packages maintained by the compromised account were modified and malicious versions of those packages were published the same day. The most popular package, eslint-config-prettier, has over 30 million downloads per week, and its compromise was assigned CVE-2025-54313 with a CVSS severity rating of High.

The following specific packages and their associated versions were published as part of this campaign:

• eslint-config-prettier (8.10.1, 9.1.1, 10.1.6, 10.1.7)
• eslint-plugin-prettier (4.2.2, 4.2.3)
• synckit (0.11.9)
• @pkgr/core (0.2.8)
• napi-postinstall (0.3.1)

The altered packages included the install script install.js and the Scavenger DLL node-gyp.dll. The script is executed upon installation of the packages and spawns rundll32.exe to load the DLL node-gyp.dll.

The Scavenger DLL reads and exfiltrates the contents of the user’s NPM configuration file .npmrc, which often contains NPM authentication and access tokens. Additionally, the Scavenger DLL writes a second-stage infostealer payload to disk, which ultimately targets the victims' browser data, including visited URLs and cached content.

The affected packages have been deprecated on the NPM repository, and clean versions have been published by the maintainer.

Falcon Platform Prevents Scavenger Malware

CrowdStrike employs a layered approach for malware detection using machine learning and indicators of attack (IOAs). The Falcon platform prevented this attack in its initial stage by detecting and quarantining the Scavenger DLL. The rundll32.exe process spawned by install.js was also prevented by behavior-based detections (IOAs).

Customers should ensure their prevention policies are properly configured with the Suspicious Processes toggle enabled.

As indicated within the images above, the Falcon platform successfully blocks multiple steps within the attack’s kill chain, ensuring no malicious actions are performed on a victim host. 

Indicators of Compromise

To hunt on the IOCs listed above, the following LogScale query may be used:

case { 
    in("DomainName", values=["npnjs.com", "dieorsuffer.com", "smartscreen-api.com"]); 
    in("destination.domain", values=["npnjs.com", "dieorsuffer.com", "smartscreen-api.com"]);
    in("url.original", values=["https://firebase.su/c/k2", "https://dieorsuffer.com/c/k2", "https://smartscreen-api.com/c/k2"]);
    in("SHA256HashData", values=["c68e42f416f482d43653f36cd14384270b54b68d6496a8e34ce887687de5b441", "5bed39728e404838ecd679df65048abcb443f8c7a9484702a2ded60104b8c4a9", "32d0dbdfef0e5520ba96a2673244267e204b94a49716ea13bf635fa9af6f66bf"]);
}

Additionally, the following LogScale query may be leveraged to further hunt on this threat:

#event_simpleName=ProcessRollup2 event_platform=Win 
| ParentBaseFileName=/node/i
| FileName=/rundll32\.exe/i
| CommandLine=/node-gyp.dll,main/i
| table([@timestamp, cid, aid, ComputerName, CommandLine])

Conclusion

Threat actors often abuse the NPM repository by uploading malicious packages or compromising existing ones in supply chain attacks. NPM maintainer accounts have become an attractive target for attackers, as the poisoning of legitimate, popular packages to deploy malware provides access to numerous organizations. Falcon platform customers are protected against this supply chain attack that resulted in the Scavenger malware family being deployed to victim machines.