npm

@marketfront/devtoolsloader @7.0.0

Vulnerability report · Last retrieved from osv.dev July 6, 2026 at 10:15 AM UTC

Malicious

OSV ID

MAL-2026-6774

Ecosystem

npm

Summary

The package ships a heavily obfuscated postinstall script (scripts/postinstall.js, ~161 KB, obfuscator.io RC4 string-array with control-flow flattening) invoked from package.json ("postinstall": "node scripts/postinstall.js"). At npm install time the script collects host identifiers (os.userInfo(), os.networkInterfaces(), hostname), enumerates process.env against embedded char-code-encoded arrays of credential-shaped variable names (USERDOMAIN, COMPUTERNAME, APPDATA, LOCALAPPDATA, TEMP, PROGRAMDATA, and additional token/secret-shaped keys), and reads installer-side dotfiles (shell history / rc files) via decoded absolute paths. The payload is XOR-encrypted and transmitted via https.request POST and DNS queries to a destination decoded from the obfuscated string array. Execution is gated on sandbox-evasion checks (process.argv[0]/argv[1] inspection, NODE_OPTIONS blocklist tokens, Date.now spin-loop timing) so the payload only fires on real developer machines. The package advertises a fictitious internal corporate infrastructure (@marketfront scope, github.marketfront.io, npm.marketfront.io) and ships no functional library — dist/index.js re-exports../src/index.js which is absent from the tarball — consistent with a dependency-confusion lure targeting developers expecting an internal @marketfront/* package. Installing this package on a developer or CI machine results in exfiltration of environment variables (including any credentials present in env), host identity, and shell history/config file contents to an attacker-controlled endpoint.

Source: amazon-inspector (d449d3db7f73a80417996b67687dca9330bf5d0591233c639416a4f2e2b7eb22)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.