@marketfront/infopopup @7.0.0
Vulnerability report · Last retrieved from osv.dev July 6, 2026 at 10:15 AM UTC
OSV ID
MAL-2026-6783
Ecosystem
npm
Summary
On npm install , the declared postinstall script ( scripts/postinstall.js ) runs a heavily obfuscated (obfuscator.io-style, RC4/XOR string-array decoded) payload that harvests installer-owned secrets and identity: reads ~/.aws/credentials , ~/.ssh/known_hosts , ~/.npmrc , ~/.docker/config.json , ~/.gitconfig , and shell history files; bulk-serialises process.env ; and collects hostname, user, network interfaces, CPU/OS. The collected data is encrypted and transmitted over two exfiltration channels: an HTTPS POST to a runtime-decoded remote endpoint, and a DNS-tunnel channel built via new dns.Resolver().resolve4(...) that splits the encrypted body into ≤50-character labels queried under an attacker-controlled parent domain to survive HTTPS egress filtering. Package metadata advertises a fabricated corporate identity ( *.marketfront.io hosts that do not exist; README references an internal-corp.io auth endpoint) as a dependency-confusion cover story for what is otherwise a credential-stealer. Declared purpose ("internal authentication client") does not require reading AWS/SSH/npm/Docker/Git credential files or DNS-tunnelling encrypted blobs.
Source: amazon-inspector (206e60b923200a66a3a6bacec3f6ec998191bd648eb4bbc61b1cee008d2f3eec)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.