2025-10-05 –, ENG 103
Supply chain attacks represent one of the most pervasive threats in modern cybersecurity, with the potential to compromise thousands of systems simultaneously. This talk presents a detailed technical analysis of a supply chain compromise campaign, which successfully compromised multiple NPM and PyPI packages within a 10-day period, affecting packages with over 30 million weekly downloads.
We’ll highlight how earlier variants targeted smaller, lesser-known assets before pivoting to high-visibility projects, and how technical similarities across samples linked this operation to previous malware families.
In July 2025, we observed multiple compromised open-source projects distributing a malware family known as Scavenger. This included popular NPM packages, including eslint-config-prettier, eslint-plugin-prettier, and others. This talk will present our collaborative investigation into Scavenger, a loader–stealer hybrid that leverages phishing and typosquatting to infiltrate developer accounts.
We will walk through our initial discovery of Scavenger, the infection vector embedded in trusted developer tooling, and the phishing campaign that enabled attackers to compromise package maintainer accounts. We’ll highlight how earlier variants targeted smaller, lesser-known assets before pivoting to high-impact projects, and how technical similarities across samples linked this operation to previous malware variants. From anti-analysis techniques and indirect syscalls to the use of encrypted C2 traffic, Scavenger demonstrates the increasing sophistication of adversaries targeting the software supply chain.
Finally, we’ll zoom out to the big picture: how this campaign impacted numerous repositories, what this means for developer trust in open-source, and how the community can build resilience against future incidents. Attendees will leave with an understanding of supply chain attack mechanics, detection strategies, and lessons learned from a weekend spent chasing malware buried inside JavaScript linting tools.
Joshua Reynolds is the founder of Invoke RE, a cybersecurity training and research company focused on reverse engineering, malware analysis and threat intelligence. With over a decade of experience, Joshua has held senior roles at industry leading companies, including Cisco and CrowdStrike. Joshua has spoken at major conferences such as REcon, RSA, DEF CON and Virus Bulletin on topics including ransomware, malicious document analysis and automating malware analysis. In addition to his speaking engagements and research, Joshua has developed industry standard malware analysis training courses that are taught to hundreds of students globally through his company Invoke RE.
Cedric Brisson is a Lead SOC Analyst at Coveo, where he leads detection and response operations to protect against active threats. Outside of work, he pursues malware reverse engineering as a passion, often publishing his findings and experiments under the alias Humpty on Humpty’s RE Blog. Cedric’s research is driven by curiosity and focuses on uncovering the inner workings of malicious code, documenting techniques, and sharing lessons learned with the security community. He enjoys bridging his operational experience in the SOC with the technical depth of reverse engineering to gain a fuller picture of how attackers operate.