@marketfront/fashiononboardingpopup @7.0.0
Vulnerability report · Last retrieved from osv.dev July 6, 2026 at 10:15 AM UTC
OSV ID
MAL-2026-6778
Ecosystem
npm
Summary
@marketfront/fashiononboardingpopup@7.0.0 declares "postinstall": "node scripts/postinstall.js" which auto-executes during npm install . scripts/postinstall.js is a heavily obfuscated payload (obfuscator.io-style hex string array, base64+RC4 string decoder) whose decoded behavior collects host identity (os.hostname, os.userInfo, os.networkInterfaces, os.cpus, platform, arch), Windows environment variables (USERDOMAIN, COMPUTERNAME, APPDATA, LOCALAPPDATA, TEMP, PROGRAMDATA), process.argv, process.cwd(), and the entire process.env, RC4-encrypts the JSON, and POSTs it via require('https'|'http').request to a hardcoded remote endpoint the installer never opted into. The script also contains anti-analysis logic that inspects process.argv and NODE_OPTIONS for debugger flags and applies a timing check, disabling execution when analysis is suspected. The package's advertised library surface is a stub: dist/index.js re-exports ../src/index.js , which is not shipped in the tarball; the package's main provides no real functionality. Metadata (description "Internal structured logger", repository github.marketfront.io, homepage docs.marketfront.io) is styled to imitate an internal private package on public npm — a dependency-confusion social-engineering layer paired with the working install-time exfiltration payload.
Source: amazon-inspector (604b64d5bbde0068372b15b9af44e12d8a3ef9f6ab2cfee54f493d64d91fca8a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.