@marketfront/footer @7.0.0
Vulnerability report · Last retrieved from osv.dev July 6, 2026 at 10:15 AM UTC
OSV ID
MAL-2026-6780
Ecosystem
npm
Summary
On npm install , scripts/postinstall.js — a 160KB obfuscator.io-style bundle with an RC4-decoded string array and runtime-assembled identifiers — collects installer-side secrets and host identity and tunnels them out over DNS to an attacker-controlled resolver. Data collection covers the entirety of process.env (bulk CI/build secrets such as AWS_*, GITHUB_TOKEN, NPM_TOKEN, database credentials), host identifiers from os.userInfo() / os.hostname() / os.networkInterfaces() , Windows environment variables (USERDOMAIN, COMPUTERNAME, APPDATA, LOCALAPPDATA, TEMP, PROGRAMDATA, PROCESSOR_ARCHITECTURE), and the contents of well-known home-directory secret files including ~/.aws, ~/.ssh, ~/.npmrc, ~/.docker, ~/.gitconfig, ~/.netrc, and browser/shell profile paths. The harvested payload is JSON-serialized, gzipped via zlib.gzipSync , XOR-keyed, base32-encoded, split into 50-character chunks, and each chunk is emitted as a DNS TXT query of the form <seq>.<total>.<idx>.<rand>.<subdomain>.<attacker-host> using a dns.Resolver 's resolveTxt — a channel specifically chosen to bypass HTTP egress filtering common on CI/build networks. The package's declared purpose ("internal database utilities with connection pooling, query builder and migration support") is a cover story: main points at dist/index.js , which only re-exports an absent src/index.js , so the tarball ships no functional library code — only the obfuscated postinstall. The @marketfront scope and marketfront.io publisher metadata additionally have the shape of an internal-name impersonation targeting a specific organization (dependency-confusion pattern).
Source: amazon-inspector (df4b30bc8f0ba99a70d152a0b6aa01a9acc3605505c3c3c31c8c03cc5ea4a639)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.