MAL-2026-6771

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@marketfront/commonecommerce/MAL-2026-6771.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6771
Published
2026-07-02T00:00:00Z
Modified
2026-07-06T05:16:48.048384322Z
Summary
Malicious code in @marketfront/commonecommerce (npm)
Details

The @marketfront/commonecommerce package is part of a 25-package malicious campaign batch-published to the @marketfront npm scope by npm user 'marketfront' (marketfront@tutamail.com) within a roughly 3-minute window on 2026-07-01. All packages in the campaign were published at version 7.0.0 and use e-commerce/marketing frontend component names as cover.

The package declares a postinstall hook (node scripts/postinstall.js) that executes heavily obfuscated (obfuscator.io-style) code automatically at npm install time. Static analysis of the decoded payload revealed a credential harvester that dynamically requires fs, os, http, https, zlib, path and dns, then reads approximately 20 sensitive credential files including ~/.ssh, ~/.aws/credentials, ~/.kube/config, ~/.docker/config.json, ~/.npmrc, ~/.netrc, ~/.pgpass, ~/.git-credentials, ~/.env and ~/.bash_history. Collected data is exfiltrated via a gzip-compressed HTTPS POST with a custom X-Secret header to the path /api/v1/events, alongside a DNS resolver beacon. The command-and-control host is concealed behind an additional RC4+XOR encryption layer around an embedded configuration blob and was not statically resolved.

The decoded behavioral payload (module requires, credential-file target list, exfiltration headers and endpoint) is byte-for-byte identical across sampled packages in the campaign. The campaign shares tooling and infrastructure patterns (obfuscated postinstall credential harvester, X-Secret header, /api/v1/events exfiltration path, RC4-concealed C2) with the earlier @emcd-vue campaign, indicating the same actor rotating scopes and disposable maintainer emails.


-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b3c312ca92f800ad787ffb20a7c333e8308f503e9baa461359a978a9d9e808e9)

This package is a malicious install-time credential/host harvester wearing a fake corporate-telemetry cover story. On npm install, the postinstall lifecycle hook runs scripts/postinstall.js, a 162 KB obfuscator.io-style bundle that uses a shuffled string array with RC4+base64 decoders (a0d/a0e/a0f) to hide every literal, including all require(...) module names (fs, http, https, dns, os) and destination hosts. At install time it collects process.env in full, hostname/username/OS/CPU/arch, the npm user-agent, and named Windows env vars (USERDOMAIN, COMPUTERNAME, APPDATA, LOCALAPPDATA, PROGRAMDATA, TEMP, NODE_OPTIONS), plus reads local files via fs.readFileSync and directory listings via readdirSync. The collected data is RC4-encrypted and shipped over two parallel channels: (1) an HTTPS POST to a runtime-assembled host (lpqgnt builds {hostname, port, path, method:'POST',...} from decoded string-array entries), and (2) DNS-label tunneling (oaulmd chunks the encrypted payload with /.{1,50}/g and issues resolve('<chunk>.<idx>.<rand>.<host>') queries against a hardcoded resolver) — a covert channel designed to bypass HTTP egress filtering. Before exfiltrating, the payload inspects process.argv, process.execPath, process.env.NODE_OPTIONS, and a wall-clock timing check to detect analysis environments, and defers execution behind a randomized setTimeout. The package presents itself as an internal 'Marketfront Platform Engineering' metrics client (author platform@marketfront.io, homepage docs.marketfront.io, README claiming 'anonymous telemetry to telemetry.marketfront.io' and instructing users to point .npmrc at npm.marketfront.io), but none of that infrastructure exists as a real organization — it is dependency-confusion cover. The advertised library API is non-functional: dist/index.js is a two-line stub re-exporting ../src/index.js, and src/ is not shipped, so the postinstall dropper is the only reachable code.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "7.0.0"
            ],
            "sha256": "b3c312ca92f800ad787ffb20a7c333e8308f503e9baa461359a978a9d9e808e9",
            "source": "amazon-inspector",
            "modified_time": "2026-07-06T03:19:25Z",
            "import_time": "2026-07-06T04:58:10.413885208Z",
            "id": "IN-MAL-2026-008020"
        }
    ]
}
References
Credits

Affected packages

npm / @marketfront/commonecommerce

Package

Name
@marketfront/commonecommerce
View open source insights on deps.dev
Purl
pkg:npm/%40marketfront%2Fcommonecommerce

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

7.*
7.0.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "commonecommerce-7.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-WzTF1uVHxcMTL8jvDS5MyWYRwstCXmHXINQYeICNhaI5vylJbYLT9DLre2aqK+E90YA6OIoZjAB7fZjU0kjX9Q==",
                "sha1": "2ddfcc51d1175208807fc81c008a51eb55cb9327"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "c085083dca3ad2b17743ce8a4f71e959a3ee469e7caea7d780300d7940881b2e",
            "path": "scripts/postinstall.js",
            "tlsh": "a4f3ec892740d482d95fefbf7f61e6f4e0197cc6c3c5284af714b52cf89852a9a48b81"
        },
        {
            "sha256": "84efc12ab8808c48a1b8a27e7dfcbf486abf6a6c9958532207f350694425886c",
            "path": "package.json",
            "tlsh": "8d11aa32c6214c3336d5299abe742d42b96a4d2f1895fc1c63c3406c4bcd16a21fe73d"
        },
        {
            "sha256": "ef33b25b7f17c5fc669db0d5c406e2eb41b8559b29f093d8aac7e3989dc2647a",
            "path": "dist/index.js",
            "tlsh": "35a0112a2ab2a282028200c2c0c3aa0200eac030008820220a088aac8088cc800ec8a8"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@marketfront/commonecommerce/MAL-2026-6771.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]