CrowdStrike Falcon Prevents Supply Chain Attack Involving Compromised NPM Packages

On July 18, 2025, an attacker leveraged credential phishing against an NPM package maintainer to publish malicious versions of five widely used packages (including eslint-config-prettier). The compromised packages ran an install script that launched a Scavenger DLL (node-gyp.dll) via rundll32.exe; the DLL exfiltrated .npmrc authentication tokens and wrote a second-stage infostealer that harvested browser data. A CVE was assigned to the incident, affected packages were deprecated and republished cleanly, and CrowdStrike Falcon detections reportedly blocked the malicious activity.