@marketfront/header @7.0.0
Vulnerability report · Last retrieved from osv.dev July 6, 2026 at 10:15 AM UTC
OSV ID
MAL-2026-6782
Ecosystem
npm
Summary
package.json declares a postinstall hook that executes scripts/postinstall.js , a ~160KB obfuscator.io-style bundle using RC4 string decryption and char-code array lookups to hide module names and control flow. On npm install , the script harvests installer-side data — the full process.env , process.cwd() , and host identifiers ( USERDOMAIN , COMPUTERNAME , PROCESSOR_ARCHITECTURE , APPDATA , LOCALAPPDATA , TEMP , PROGRAMDATA , NODE_OPTIONS , npm_config_user_agent ) — and reads a list of files under the installer's home directory ( os.homedir() -derived paths plus directory enumeration), packing all results into a single payload object transmitted to a remote endpoint. There is no native-build, SDK-download, or other legitimate lifecycle rationale for this behavior; the shape (heavy obfuscation + lifecycle-time execution + bulk env capture + home-directory credential-path reads + hardcoded outbound transport) is a supply-chain install-time stealer.
Source: amazon-inspector (38f0edd33f2e062b9347a03bb6b126c82a55fd8b3d2d16f58d0f1816392f9647)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.