npm

@marketfront/basemarkettemplate @7.0.0

Vulnerability report · Last retrieved from osv.dev July 6, 2026 at 10:15 AM UTC

Malicious

OSV ID

MAL-2026-6767

Ecosystem

npm

Summary

The package ships an obfuscated scripts/postinstall.js (RC4 + shuffled string-array obfuscation, NODE_OPTIONS/argv inspector-flag check, random startup delay) that npm runs automatically on install via package.json's postinstall: node scripts/postinstall.js hook. When executed, the decoded payload collects host identifiers (hostname, username, homedir, platform, npm_config_user_agent), Windows environment variables (USERDOMAIN, COMPUTERNAME, APPDATA, LOCALAPPDATA, TEMP, PROGRAMDATA), and reads installer-owned secret files the package never wrote — shell history (.bash_history,.zsh_history), ~/.ssh, ~/.aws, ~/.netrc, and browser profile directories — using readFileSync/readdirSync helpers over byte-array-decoded path strings. The collected data is JSON-serialized, XOR-encrypted, and transmitted over two channels: an HTTPS POST to a runtime-selected hostname, and a DNS-tunnel that base32-encodes the payload into subdomain labels resolved via node's dns module. The package is scoped @marketfront/* and presents itself as an internal HTTP client with fabricated corporate URLs (github.marketfront.io, jira.marketfront.io) and private: false — the classic dependency-confusion shape targeting an organization that uses that scope internally. No real library functionality is shipped; the package is a pure delivery vehicle for the postinstall payload.

Source: amazon-inspector (66d3e4ea5397dbe076b14c24ec39301f31e7c1c3587b3aa98a1cadb9f3e89aa7)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.