@marketfront/customdealsfeed @7.0.0
Vulnerability report · Last retrieved from osv.dev July 6, 2026 at 10:15 AM UTC
OSV ID
MAL-2026-6772
Ecosystem
npm
Summary
The package has no legitimate runtime surface: package.json 'main' re-exports../src/index.js which is not shipped in the tarball, so require() throws. The only executed code is scripts/postinstall.js, a ~165KB obfuscator.io-style payload that runs automatically on npm install. It uses a string-array decoder plus RC4 and XOR routines to hide its behavior, and contains a sandbox-evasion guard that suppresses execution when NODE_OPTIONS or the package name match hardcoded analysis-environment values. At install time the decoded payload collects host and account identity (os.userInfo, hostname, platform, arch, network interfaces), enumerates environment variables (including USERDOMAIN, COMPUTERNAME, APPDATA, LOCALAPPDATA, TEMP, PROGRAMDATA, npm_config_user_agent and a full process.env dump), executes shell commands via child_process, and reads candidate credential/wallet/keystore files under APPDATA/LOCALAPPDATA/TEMP/PROGRAMDATA using a JSON key/value walker. The collected data is bundled into an encrypted JSON blob and transmitted over HTTPS to a hardcoded endpoint, with a DNS side-channel that splits ciphertext into ~50-character chunks encoded as sub.sub.HOST queries to bypass egress filtering. The @marketfront scope and README instruction to add 'registry=https://npm.marketfront.io' to.npmrc — pointing at non-existent infrastructure — is a dependency-confusion lure targeting organizations that have not correctly pinned an internal scope, with a fake 'anonymous telemetry to telemetry.marketfront.io' cover story pre-authorizing the observed network activity.
Source: amazon-inspector (dcdb247433e08e6bcd6ad2d50beedf663648e089d745d4608959d0e42efac2af)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.