npm

@marketfront/designsystemdevtool @7.0.0

Vulnerability report · Last retrieved from osv.dev July 6, 2026 at 10:15 AM UTC

Malicious

OSV ID

MAL-2026-6773

Ecosystem

npm

Summary

This package is a public-registry impersonation of an internal Marketfront scope (README instructs use of a private registry at npm.marketfront.io, and the shipped main dist/index.js re-exports a path../src/index.js that is not present in the tarball — the package has no library functionality). Its only real payload is scripts/postinstall.js, which is obfuscator.io-style with an RC4-decoded string array so that module names (https, dns, os, child_process, zlib), the destination host/path, HTTP headers, and env-variable keywords are only reconstructed at runtime. On install the script gates on process.execArgv, process.env.NODE_OPTIONS, and a wall-clock timing loop to skip execution when --inspect/--debug or debugger instrumentation is detected. When those checks pass, it enumerates process.env in bulk (USERDOMAIN, COMPUTERNAME, PROCESSOR_ARCHITECTURE, PROGRAMDATA, APPDATA, LOCALAPPDATA, TEMP, npm_config_user_agent, NODE_OPTIONS) plus a keyword-driven scan of all environment variable names, collects os.userInfo/hostname/networkInterfaces, package.json contents, and shell command output, and ships the bundle to a runtime-assembled remote endpoint over HTTPS with a DNS-tunnel fallback. Installer harm: any npm install / CI build that resolves this scoped name from the public registry silently leaks host identifiers, environment variables (which typically include CI tokens, cloud credentials, and internal URLs), and system reconnaissance to attacker infrastructure at install time.

Source: amazon-inspector (53fef718149dfdd992039f8770bb9f7d5961a450f3b1d5c92482723633a14c08)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.