MAL-2026-6773

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@marketfront/designsystemdevtool/MAL-2026-6773.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6773
Published
2026-07-02T00:00:00Z
Modified
2026-07-06T05:16:48.131360368Z
Summary
Malicious code in @marketfront/designsystemdevtool (npm)
Details

The @marketfront/designsystemdevtool package is part of a 25-package malicious campaign batch-published to the @marketfront npm scope by npm user 'marketfront' (marketfront@tutamail.com) within a roughly 3-minute window on 2026-07-01. All packages in the campaign were published at version 7.0.0 and use e-commerce/marketing frontend component names as cover.

The package declares a postinstall hook (node scripts/postinstall.js) that executes heavily obfuscated (obfuscator.io-style) code automatically at npm install time. Static analysis of the decoded payload revealed a credential harvester that dynamically requires fs, os, http, https, zlib, path and dns, then reads approximately 20 sensitive credential files including ~/.ssh, ~/.aws/credentials, ~/.kube/config, ~/.docker/config.json, ~/.npmrc, ~/.netrc, ~/.pgpass, ~/.git-credentials, ~/.env and ~/.bash_history. Collected data is exfiltrated via a gzip-compressed HTTPS POST with a custom X-Secret header to the path /api/v1/events, alongside a DNS resolver beacon. The command-and-control host is concealed behind an additional RC4+XOR encryption layer around an embedded configuration blob and was not statically resolved.

The decoded behavioral payload (module requires, credential-file target list, exfiltration headers and endpoint) is byte-for-byte identical across sampled packages in the campaign. The campaign shares tooling and infrastructure patterns (obfuscated postinstall credential harvester, X-Secret header, /api/v1/events exfiltration path, RC4-concealed C2) with the earlier @emcd-vue campaign, indicating the same actor rotating scopes and disposable maintainer emails.


-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (53fef718149dfdd992039f8770bb9f7d5961a450f3b1d5c92482723633a14c08)

This package is a public-registry impersonation of an internal Marketfront scope (README instructs use of a private registry at npm.marketfront.io, and the shipped main dist/index.js re-exports a path../src/index.js that is not present in the tarball — the package has no library functionality). Its only real payload is scripts/postinstall.js, which is obfuscator.io-style with an RC4-decoded string array so that module names (https, dns, os, childprocess, zlib), the destination host/path, HTTP headers, and env-variable keywords are only reconstructed at runtime. On install the script gates on process.execArgv, process.env.NODEOPTIONS, and a wall-clock timing loop to skip execution when --inspect/--debug or debugger instrumentation is detected. When those checks pass, it enumerates process.env in bulk (USERDOMAIN, COMPUTERNAME, PROCESSORARCHITECTURE, PROGRAMDATA, APPDATA, LOCALAPPDATA, TEMP, npmconfiguseragent, NODE_OPTIONS) plus a keyword-driven scan of all environment variable names, collects os.userInfo/hostname/networkInterfaces, package.json contents, and shell command output, and ships the bundle to a runtime-assembled remote endpoint over HTTPS with a DNS-tunnel fallback. Installer harm: any npm install / CI build that resolves this scoped name from the public registry silently leaks host identifiers, environment variables (which typically include CI tokens, cloud credentials, and internal URLs), and system reconnaissance to attacker infrastructure at install time.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "7.0.0"
            ],
            "sha256": "53fef718149dfdd992039f8770bb9f7d5961a450f3b1d5c92482723633a14c08",
            "modified_time": "2026-07-06T03:20:01Z",
            "source": "amazon-inspector",
            "import_time": "2026-07-06T04:58:10.642608093Z",
            "id": "IN-MAL-2026-008024"
        }
    ]
}
References
Credits

Affected packages

npm / @marketfront/designsystemdevtool

Package

Name
@marketfront/designsystemdevtool
View open source insights on deps.dev
Purl
pkg:npm/%40marketfront%2Fdesignsystemdevtool

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

7.*
7.0.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "designsystemdevtool-7.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-jFNFvAac/OQ5YM/c4FC1Tu5D6uUznXvaYDTJ93AQtWLCB+ggRXkiZxABsdJWjQBx3mpkt9Sqv68Ux8g/QeutGw==",
                "sha1": "d530ce4df8b335578c75b05f1393b4ebcb8060c5"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "7f09408afbcdab81d9324508faa04fd1fe4f9ca143c35fc8b153060a9130626d",
            "path": "scripts/postinstall.js",
            "tlsh": "2df3ec892740d457d95fdfbfbf61e6f4e0297cc6c3c1244af714b86ce89852a9a48b80"
        },
        {
            "sha256": "9351785d9521d36d99ea8942c0458ed969b8a140fd5f962e1588df8484d38f3a",
            "path": "package.json",
            "tlsh": "a511aa31c6369d3372d425dabeb41e42b83658ab099dfc1863c3402c4b8d29a51fea3d"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@marketfront/designsystemdevtool/MAL-2026-6773.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]