malware npm

@marketfront/header

discovered 2026-07-01

Representative package from the @marketfront scope (25 packages total, all at version 7.0.0, batch-published by npm user marketfront in a ~3-minute window on 2026-07-01; scope created 2026-07-01T22:59:33Z, all now 404). Cover names mimic e-commerce/marketing frontend components (header, footer, navbar, bannerpopup, customdealsfeed, fingerprint, etc.). Full 25-package list: src/data/blogs/marketfront-campaign-packages.csv. Payload: postinstall 'node scripts/postinstall.js' — an obfuscator.io-style single-line ~160 KB script using a custom lowercase-first base64 alphabet plus a per-string RC4 layer. On execution it dynamically require()s fs, os, http, https, zlib, path, dns; reads ~20 credential/secret files (~/.ssh, ~/.aws/credentials, ~/.kube/config, ~/.docker/config.json, ~/.npmrc, ~/.netrc, ~/.pgpass, ~/.git-credentials, ~/.env, ~/.bash_history); exfiltrates them as a gzip-compressed HTTPS POST with a custom X-Secret header to the path /api/v1/events, plus a DNS resolver beacon. The C2 host is concealed behind an RC4+XOR layer around an embedded config blob and was NOT statically resolved (unresolved — no code executed). Ships a decoy dist/index.js that require()s ../src/index.js (a file absent from the tarball), so the library is non-functional and only the postinstall runs. SafeDep community API: isMalware=true, CONFIDENCE_HIGH.

Threat types

dependency_confusion credential_stealer data_exfiltration

Malicious versions

  • 7.0.0

Campaigns

Indicators

Techniques

Read the full analysis →