malware
npm
@marketfront/actualordersnippetpopup
discovered 2026-07-01Part of the 25-package @marketfront Wave 4 batch (all v7.0.0, batch-published by npm user marketfront on 2026-07-01 in a ~3-minute window, now 404). Ships the byte-identical obfuscated postinstall credential-file harvester documented on @marketfront/header: reads ~20 secret files and exfiltrates them via a gzip HTTPS POST with an X-Secret header to /api/v1/events with an RC4+XOR-concealed, unresolved C2. See @marketfront/header and the campaign for full payload analysis.
Threat types
dependency_confusion credential_stealer data_exfiltration
Malicious versions
- 7.0.0