@marketfront/errorcounter @7.0.0
Vulnerability report · Last retrieved from osv.dev July 6, 2026 at 10:15 AM UTC
OSV ID
MAL-2026-6777
Ecosystem
npm
Summary
This package is a dependency-confusion lure targeting an internal @marketfront npm scope. The declared library entry point ( dist/index.js ) re-exports ../src/index.js , which is not shipped — the package is non-functional as advertised. Its only real behavior is the declared postinstall hook ( node scripts/postinstall.js ), which is a heavily obfuscated (obfuscator.io-style string-array RC4 decoder, control-flow dead-code, function/property indirection) payload that runs automatically on npm install . At install time it collects os.hostname , os.type , os.release , os.arch , os.version , os.homedir , os.userInfo().username , os.networkInterfaces , the full process.env , and Windows-specific env vars (USERDOMAIN, COMPUTERNAME, APPDATA, LOCALAPPDATA, TEMP, PROGRAMDATA, npm_config_user_agent), packages them with the package name/version and a timestamp into a JSON blob, and ships the blob to a remote endpoint decoded from the obfuscated string array via HTTPS POST with a DNS-tunnel fallback (deliberate evasion of egress filtering). Before exfiltrating, the payload runs anti-analysis checks: it scans process.argv and NODE_OPTIONS against decoded tokens, requires process.mainModule.filename to match a decoded token, and executes a ~1e6-iteration Date.now() timing loop to detect sandboxes/debuggers, gating the exfil behind an internal flag. The combination of an obfuscated payload, anti-sandbox gating, dual exfil channels, a non-functional library shell, and an internal-scope cover story is unambiguous supply-chain malware. Any build system that mis-resolves the @marketfront scope to public npm will auto-run the stealer against its CI secrets, cloud tokens, and environment variables.
Source: amazon-inspector (d15a354db253fd90616eb7e33d8c09dd7dd36b691259ec737182a96f9b5d65ab)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.