malware npm

@marketfront/actualordersnippetpopup

discovered 2026-07-01

Part of the 25-package @marketfront Wave 4 batch (all v7.0.0, batch-published by npm user marketfront on 2026-07-01 in a ~3-minute window, now 404). Ships the byte-identical obfuscated postinstall credential-file harvester documented on @marketfront/header: reads ~20 secret files and exfiltrates them via a gzip HTTPS POST with an X-Secret header to /api/v1/events with an RC4+XOR-concealed, unresolved C2. See @marketfront/header and the campaign for full payload analysis.

Threat types

dependency_confusion credential_stealer data_exfiltration

Malicious versions

  • 7.0.0

Campaigns

Indicators

Read the full analysis →