npm

@marketfront/livestreampreviewpopup @7.0.0

Vulnerability report · Last retrieved from osv.dev July 6, 2026 at 10:15 AM UTC

Malicious

OSV ID

MAL-2026-6784

Ecosystem

npm

Summary

The package declares a postinstall hook ( node scripts/postinstall.js ) whose contents are an obfuscator.io-packed payload (string-array + RC4 decoder, hex identifiers, control-flow flattening) that runs automatically on npm install . On execution it collects installer host and identity data (os.hostname, os.userInfo, os.networkInterfaces, os.platform/release/arch, cwd, npm_config_user_agent, running-process enumeration, and the full process.env) and reads installer-owned secret files under the home directory (SSH keys, cloud credential files, npmrc/pypirc, browser profile data, shell history). The collected data is RC4-encrypted and transmitted to a hardcoded remote endpoint reassembled at runtime via atob() fragments over HTTPS POST, plus a base32-chunked DNS subdomain side-channel ( require('dns').Resolver with setServers([hostname]) and resolve4 on <index>.<random>.<chunk>.<random>.<attacker-domain> ) to bypass HTTP egress filtering. The advertised library surface is decorative: main points at dist/index.js , which re-exports ../src/index.js , but src/ is not shipped in the tarball, so consumers requiring the package error immediately. The package presents itself as an internal @marketfront Platform-Engineering package with homepage/repo/bugs URLs at nonexistent *.marketfront.io hosts and instructs installers to configure registry=https://npm.marketfront.io , consistent with a dependency-confusion attack against organizations using a private @marketfront scope. Version 7.0.0 with no prior public history reinforces the shadow-a-private-name staging pattern.

Source: amazon-inspector (93ffdd19e32de6c0b06508d32fac098925466ac85dbc28da3c20984abc72d4ef)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.