npm

@marketfront/commonecommerce @7.0.0

Vulnerability report · Last retrieved from osv.dev July 6, 2026 at 10:15 AM UTC

Malicious

OSV ID

MAL-2026-6771

Ecosystem

npm

Summary

This package is a malicious install-time credential/host harvester wearing a fake corporate-telemetry cover story. On npm install , the postinstall lifecycle hook runs scripts/postinstall.js , a 162 KB obfuscator.io-style bundle that uses a shuffled string array with RC4+base64 decoders ( a0d/a0e/a0f ) to hide every literal, including all require(...) module names ( fs , http , https , dns , os ) and destination hosts. At install time it collects process.env in full, hostname/username/OS/CPU/arch, the npm user-agent, and named Windows env vars ( USERDOMAIN , COMPUTERNAME , APPDATA , LOCALAPPDATA , PROGRAMDATA , TEMP , NODE_OPTIONS ), plus reads local files via fs.readFileSync and directory listings via readdirSync . The collected data is RC4-encrypted and shipped over two parallel channels: (1) an HTTPS POST to a runtime-assembled host ( lpqgnt builds {hostname, port, path, method:'POST',...} from decoded string-array entries), and (2) DNS-label tunneling ( oaulmd chunks the encrypted payload with /.{1,50}/g and issues resolve('<chunk>.<idx>.<rand>.<host>') queries against a hardcoded resolver) — a covert channel designed to bypass HTTP egress filtering. Before exfiltrating, the payload inspects process.argv , process.execPath , process.env.NODE_OPTIONS , and a wall-clock timing check to detect analysis environments, and defers execution behind a randomized setTimeout . The package presents itself as an internal 'Marketfront Platform Engineering' metrics client (author platform@marketfront.io , homepage docs.marketfront.io , README claiming 'anonymous telemetry to telemetry.marketfront.io' and instructing users to point .npmrc at npm.marketfront.io ), but none of that infrastructure exists as a real organization — it is dependency-confusion cover. The advertised library API is non-functional: dist/index.js is a two-line stub re-exporting ../src/index.js , and src/ is not shipped, so the postinstall dropper is the only reachable code.

Source: amazon-inspector (b3c312ca92f800ad787ffb20a7c333e8308f503e9baa461359a978a9d9e808e9)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.