The @marketfront/fashiononboardingpopup package is part of a 25-package malicious campaign batch-published to the @marketfront npm scope by npm user 'marketfront' (marketfront@tutamail.com) within a roughly 3-minute window on 2026-07-01. All packages in the campaign were published at version 7.0.0 and use e-commerce/marketing frontend component names as cover.
The package declares a postinstall hook (node scripts/postinstall.js) that executes heavily obfuscated (obfuscator.io-style) code automatically at npm install time. Static analysis of the decoded payload revealed a credential harvester that dynamically requires fs, os, http, https, zlib, path and dns, then reads approximately 20 sensitive credential files including ~/.ssh, ~/.aws/credentials, ~/.kube/config, ~/.docker/config.json, ~/.npmrc, ~/.netrc, ~/.pgpass, ~/.git-credentials, ~/.env and ~/.bash_history. Collected data is exfiltrated via a gzip-compressed HTTPS POST with a custom X-Secret header to the path /api/v1/events, alongside a DNS resolver beacon. The command-and-control host is concealed behind an additional RC4+XOR encryption layer around an embedded configuration blob and was not statically resolved.
The decoded behavioral payload (module requires, credential-file target list, exfiltration headers and endpoint) is byte-for-byte identical across sampled packages in the campaign. The campaign shares tooling and infrastructure patterns (obfuscated postinstall credential harvester, X-Secret header, /api/v1/events exfiltration path, RC4-concealed C2) with the earlier @emcd-vue campaign, indicating the same actor rotating scopes and disposable maintainer emails.
-= Per source details. Do not edit below this line.=-
@marketfront/fashiononboardingpopup@7.0.0 declares "postinstall": "node scripts/postinstall.js" which auto-executes during npm install. scripts/postinstall.js is a heavily obfuscated payload (obfuscator.io-style hex string array, base64+RC4 string decoder) whose decoded behavior collects host identity (os.hostname, os.userInfo, os.networkInterfaces, os.cpus, platform, arch), Windows environment variables (USERDOMAIN, COMPUTERNAME, APPDATA, LOCALAPPDATA, TEMP, PROGRAMDATA), process.argv, process.cwd(), and the entire process.env, RC4-encrypts the JSON, and POSTs it via require('https'|'http').request to a hardcoded remote endpoint the installer never opted into. The script also contains anti-analysis logic that inspects process.argv and NODE_OPTIONS for debugger flags and applies a timing check, disabling execution when analysis is suspected. The package's advertised library surface is a stub: dist/index.js re-exports ../src/index.js, which is not shipped in the tarball; the package's main provides no real functionality. Metadata (description "Internal structured logger", repository github.marketfront.io, homepage docs.marketfront.io) is styled to imitate an internal private package on public npm — a dependency-confusion social-engineering layer paired with the working install-time exfiltration payload.
{
"malicious-packages-origins": [
{
"versions": [
"7.0.0"
],
"sha256": "604b64d5bbde0068372b15b9af44e12d8a3ef9f6ab2cfee54f493d64d91fca8a",
"modified_time": "2026-07-06T03:20:22Z",
"source": "amazon-inspector",
"import_time": "2026-07-06T04:58:10.75836951Z",
"id": "IN-MAL-2026-008026"
}
]
}{
"package_integrity": [
{
"filename": "fashiononboardingpopup-7.0.0.tgz",
"hashes": {
"sha512_sri": "sha512-NMmFTBMefitIk3nbu6h/Zpz27LFodbDI6JZeDK0KAkgLEfdJ/l72RIlzSU//h3xoqLJaJZB+UmtZzebtHx+j7A==",
"sha1": "52cfbb868463392e37164c9a3fca3ec885d8f738"
}
}
],
"evidence_files": [
{
"sha256": "763e406418a5e73aa6b80a3fa9eab3b6850268fd2f58680547475fa7c8b57757",
"path": "scripts/postinstall.js",
"tlsh": "1cf3da892740d487d85fdebfbf61e6f4e1197cc6c3c1284af714b46cf89852a9a48b81"
},
{
"sha256": "33f62e2812a990fa277a018a862ee28ca7607bb4af5c32521829530e51335e81",
"path": "package.json",
"tlsh": "a411ad31c5269d3362d525aaee742e01b5354cab2899fc1863c3416c0f8d16b50fea3d"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@marketfront/fashiononboardingpopup/MAL-2026-6778.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]