npm

@marketfront/baobabtech @7.0.0

Vulnerability report · Last retrieved from osv.dev July 6, 2026 at 10:15 AM UTC

Malicious

OSV ID

MAL-2026-6766

Ecosystem

npm

Summary

@marketfront/baobabtech@7.0.0 declares a postinstall lifecycle hook ( node scripts/postinstall.js ) that runs unconditionally on npm install . scripts/postinstall.js is a ~160 KB obfuscator.io-encoded payload using a rotated string array with per-string RC4/XOR decoders and an anti-analysis gate that inspects process.argv[0] and NODE_OPTIONS for sandbox markers and runs a timing loop before executing. On real installer machines it assembles a payload containing the full process.env , os.platform/arch/release, os.userInfo(), os.networkInterfaces(), hostname, cwd, npm user-agent, and Windows environment variables (USERDOMAIN, COMPUTERNAME, PROCESSOR_ARCHITECTURE, PROGRAMDATA, APPDATA, LOCALAPPDATA, TEMP), then reads arbitrary files from directories chosen by decoded strings (including key=value parsing consistent with .npmrc -style credential stores) and attaches their contents to the same payload before sending it out. The package advertises itself as a database utility; none of that purpose requires whole-environment dumps, host fingerprinting, or arbitrary filesystem reads. This is an install-time credential and environment stealer.

Source: amazon-inspector (48c6526eab024e5b90615b3480f498d99f768b741191ea5e70d0f72ebabf139e)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.