@marketfront/navbar @7.0.0
Vulnerability report · Last retrieved from osv.dev July 6, 2026 at 10:15 AM UTC
OSV ID
MAL-2026-6787
Ecosystem
npm
Summary
The package registers scripts/postinstall.js as an npm postinstall hook. The script is heavily obfuscated (obfuscator.io-style string-array with RC4 decoder, hex-named functions, runtime string decoding) and, on npm install, harvests a full profile of the installing machine: os.hostname(), os.userInfo().username, os.homedir(), os.platform(), os.arch(), os.networkInterfaces(), process.argv0, process.cwd(), the complete process.env, npm_config_user_agent, and Windows-specific USERDOMAIN, COMPUTERNAME, APPDATA, LOCALAPPDATA, TEMP, and PROGRAMDATA, along with the package name and version. The collected data is JSON-serialized, zlib-compressed, XOR-encrypted, and exfiltrated over two channels to a runtime-decoded remote host: an HTTPS POST and a DNS TXT tunnel that chunks the payload into subdomain labels via a custom dns.Resolver with attacker-specified servers. Payload execution is gated by anti-analysis checks — inspection of process.argv and NODE_OPTIONS for 'node_modules' / '.npm' tokens, a Date.now() timing threshold, and a global sentinel for single execution — designed to fire on real developer and CI installs while staying silent under scanners. The package presents itself as an 'Internal structured logger' under the name @marketfront/navbar, but has no working library surface: dist/index.js re-exports../src/index.js, which is not shipped in the tarball. The entire functional behavior is the install-time stealer. Developer and CI process environments routinely contain cloud provider tokens, npm publish tokens, registry credentials, and CI secrets, so the impact is credential compromise of the installer's account/infrastructure.
Source: amazon-inspector (2a0a9490d91761fdf242bf7e3b9a97cc4f0df29f1306d7e476dad08aad25c17a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.