npm

@marketfront/mychatspreloader @7.0.0

Vulnerability report · Last retrieved from osv.dev July 6, 2026 at 10:15 AM UTC

Malicious

OSV ID

MAL-2026-6786

Ecosystem

npm

Summary

The package ships a heavily obfuscated postinstall.js (obfuscator.io-style: rotated string array of length 213, RC4/base64 decoders, numeric-charcode arrays decoded at runtime) that runs automatically on npm install . On execution it enumerates the entire process.env , collects OS identifiers via os.hostname() , os.userInfo() , os.networkInterfaces() , and os.cpus() , and reads Windows-specific environment variables (USERDOMAIN, COMPUTERNAME, APPDATA, LOCALAPPDATA, TEMP, PROGRAMDATA). It then reads files under the user's APPDATA/LOCALAPPDATA/TEMP/PROGRAMDATA directories — where browser profiles, wallet stores, and app credential files reside on Windows — and includes their contents in the outbound payload. The collected data is exfiltrated over two channels: an HTTPS POST and DNS-subdomain queries via dns.Resolver (a classic DNS-tunnel exfil channel used to bypass HTTP egress filtering). The package has no library functionality: main points to dist/index.js which requires ../src/index.js , and no src/ directory is shipped in the tarball — the only effect of installing the package is the malicious postinstall. The @marketfront scope and README (referencing marketfront.io / npm.marketfront.io / jira.marketfront.io as an internal registry) present a dependency-confusion cover story targeting an organization that expects a private @marketfront/* package from an internal registry.

Source: amazon-inspector (c37e62bf76544bbc506f0806596054cf60d6c7e4ae8f990a804407c46417224a)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.