When Prettier Gets Ugly: The Scavenger Supply Chain Campaign

No ratings

Presented at BSides Toronto 2025 by

Joshua Reynolds

Cedric Brisson

Supply chain attacks represent one of the most pervasive threats in modern cybersecurity, with the potential to compromise thousands of systems simultaneously. This talk presents a detailed technical analysis of a supply chain compromise campaign, which successfully compromised multiple NPM and PyPI packages within a 10-day period, affecting packages with over 30 million weekly downloads. We’ll highlight how earlier variants targeted smaller, lesser-known assets before pivoting to high-visibility projects, and how technical similarities across samples linked this operation to previous malware families.