{"id":"MAL-2026-6771","summary":"Malicious code in @marketfront/commonecommerce (npm)","details":"The @marketfront/commonecommerce package is part of a 25-package malicious campaign batch-published to the @marketfront npm scope by npm user 'marketfront' (marketfront@tutamail.com) within a roughly 3-minute window on 2026-07-01. All packages in the campaign were published at version 7.0.0 and use e-commerce/marketing frontend component names as cover.\n\nThe package declares a postinstall hook (node scripts/postinstall.js) that executes heavily obfuscated (obfuscator.io-style) code automatically at npm install time. Static analysis of the decoded payload revealed a credential harvester that dynamically requires fs, os, http, https, zlib, path and dns, then reads approximately 20 sensitive credential files including ~/.ssh, ~/.aws/credentials, ~/.kube/config, ~/.docker/config.json, ~/.npmrc, ~/.netrc, ~/.pgpass, ~/.git-credentials, ~/.env and ~/.bash_history. Collected data is exfiltrated via a gzip-compressed HTTPS POST with a custom X-Secret header to the path /api/v1/events, alongside a DNS resolver beacon. The command-and-control host is concealed behind an additional RC4+XOR encryption layer around an embedded configuration blob and was not statically resolved.\n\nThe decoded behavioral payload (module requires, credential-file target list, exfiltration headers and endpoint) is byte-for-byte identical across sampled packages in the campaign. The campaign shares tooling and infrastructure patterns (obfuscated postinstall credential harvester, X-Secret header, /api/v1/events exfiltration path, RC4-concealed C2) with the earlier @emcd-vue campaign, indicating the same actor rotating scopes and disposable maintainer emails.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (b3c312ca92f800ad787ffb20a7c333e8308f503e9baa461359a978a9d9e808e9)\nThis package is a malicious install-time credential/host harvester wearing a fake corporate-telemetry cover story. On `npm install`, the `postinstall` lifecycle hook runs `scripts/postinstall.js`, a 162 KB obfuscator.io-style bundle that uses a shuffled string array with RC4+base64 decoders (`a0d/a0e/a0f`) to hide every literal, including all `require(...)` module names (`fs`, `http`, `https`, `dns`, `os`) and destination hosts. At install time it collects `process.env` in full, hostname/username/OS/CPU/arch, the npm user-agent, and named Windows env vars (`USERDOMAIN`, `COMPUTERNAME`, `APPDATA`, `LOCALAPPDATA`, `PROGRAMDATA`, `TEMP`, `NODE_OPTIONS`), plus reads local files via `fs.readFileSync` and directory listings via `readdirSync`. The collected data is RC4-encrypted and shipped over two parallel channels: (1) an HTTPS POST to a runtime-assembled host (`lpqgnt` builds `{hostname, port, path, method:'POST',...}` from decoded string-array entries), and (2) DNS-label tunneling (`oaulmd` chunks the encrypted payload with `/.{1,50}/g` and issues `resolve('\u003cchunk\u003e.\u003cidx\u003e.\u003crand\u003e.\u003chost\u003e')` queries against a hardcoded resolver) — a covert channel designed to bypass HTTP egress filtering. Before exfiltrating, the payload inspects `process.argv`, `process.execPath`, `process.env.NODE_OPTIONS`, and a wall-clock timing check to detect analysis environments, and defers execution behind a randomized `setTimeout`. The package presents itself as an internal 'Marketfront Platform Engineering' metrics client (author `platform@marketfront.io`, homepage `docs.marketfront.io`, README claiming 'anonymous telemetry to telemetry.marketfront.io' and instructing users to point `.npmrc` at `npm.marketfront.io`), but none of that infrastructure exists as a real organization — it is dependency-confusion cover. The advertised library API is non-functional: `dist/index.js` is a two-line stub re-exporting `../src/index.js`, and `src/` is not shipped, so the postinstall dropper is the only reachable code.\n","modified":"2026-07-06T05:16:48.048384322Z","published":"2026-07-02T00:00:00Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","sha256":"b3c312ca92f800ad787ffb20a7c333e8308f503e9baa461359a978a9d9e808e9","modified_time":"2026-07-06T03:19:25Z","import_time":"2026-07-06T04:58:10.413885208Z","id":"IN-MAL-2026-008020","versions":["7.0.0"]}]},"references":[{"type":"REPORT","url":"https://safedep.io/marketfront-dependency-confusion-campaign/"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@marketfront/commonecommerce/v/7.0.0"}],"affected":[{"package":{"name":"@marketfront/commonecommerce","ecosystem":"npm","purl":"pkg:npm/%40marketfront%2Fcommonecommerce"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["7.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@marketfront/commonecommerce/MAL-2026-6771.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"filename":"commonecommerce-7.0.0.tgz","hashes":{"sha1":"2ddfcc51d1175208807fc81c008a51eb55cb9327","sha512_sri":"sha512-WzTF1uVHxcMTL8jvDS5MyWYRwstCXmHXINQYeICNhaI5vylJbYLT9DLre2aqK+E90YA6OIoZjAB7fZjU0kjX9Q=="}}],"evidence_files":[{"sha256":"c085083dca3ad2b17743ce8a4f71e959a3ee469e7caea7d780300d7940881b2e","path":"scripts/postinstall.js","tlsh":"a4f3ec892740d482d95fefbf7f61e6f4e0197cc6c3c5284af714b52cf89852a9a48b81"},{"sha256":"84efc12ab8808c48a1b8a27e7dfcbf486abf6a6c9958532207f350694425886c","path":"package.json","tlsh":"8d11aa32c6214c3336d5299abe742d42b96a4d2f1895fc1c63c3406c4bcd16a21fe73d"},{"sha256":"ef33b25b7f17c5fc669db0d5c406e2eb41b8559b29f093d8aac7e3989dc2647a","path":"dist/index.js","tlsh":"35a0112a2ab2a282028200c2c0c3aa0200eac030008820220a088aac8088cc800ec8a8"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}