A fresh supply chain ambush—Scavenger—slipped into npm through the front door. Attackers phished maintainers of high-profile packages like is, eslint-plugin-prettier, and synckit, then dropped cross-platform JavaScript malware straight into the codebase. Real-time C2 channels included.

They typosquatted with npnjs.org (slick) and hijacked contributor accounts to quietly backdoor packages nobody thought to question. Not even the malware scanners flinched.