registry  /  @marketfront/blenderdevtool  /  7.0.0

@marketfront/blenderdevtool@7.0.0

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6768 confirms this npm version as malicious. The @marketfront/blenderdevtool package is part of a 25-package malicious campaign batch-published to the @marketfront npm scope by npm user 'marketfront' (marketfront@tutamail.com) within a roughly 3-minute window on 2026-07-01. All packages in the campaign were published at version 7.0.0 and use e-commerce/marketing frontend component names as cover.

Advisory
MAL-2026-6768
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @marketfront/blenderdevtool (npm)
Details
The @marketfront/blenderdevtool package is part of a 25-package malicious campaign batch-published to the @marketfront npm scope by npm user 'marketfront' (marketfront@tutamail.com) within a roughly 3-minute window on 2026-07-01. All packages in the campaign were published at version 7.0.0 and use e-commerce/marketing frontend component names as cover. The package declares a postinstall hook (node scripts/postinstall.js) that executes heavily obfuscated (obfuscator.io-style) code automatically at npm install time. Static analysis of the decoded payload revealed a credential harvester that dynamically requires fs, os, http, https, zlib, path and dns, then reads approximately 20 sensitive credential files including ~/.ssh, ~/.aws/credentials, ~/.kube/config, ~/.docker/config.json, ~/.npmrc, ~/.netrc, ~/.pgpass, ~/.git-credentials, ~/.env and ~/.bash_history. Collected data is exfiltrated via a gzip-compressed HTTPS POST with a custom X-Secret header to the path /api/v1/events, alongside a DNS resolver beacon. The command-and-control host is concealed behind an additional RC4+XOR encryption layer around an embedded configuration blob and was not statically resolved. The decoded behavioral payload (module requires, credential-file target list, exfiltration headers and endpoint) is byte-for-byte identical across sampled packages in the campaign. The campaign shares tooling and infrastructure patterns (obfuscated postinstall credential harvester, X-Secret header, /api/v1/events exfiltration path, RC4-concealed C2) with the earlier @emcd-vue campaign, indicating the same actor rotating scopes and disposable maintainer emails. --- ## Source: amazon-inspector (cbaf34bd1bf73af787679197a51e9147f20a2f1ade5576e4b8ca9d9a36cf7363) On `npm install`, scripts/postinstall.js executes an obfuscator.io-style bundle (212-entry RC4-decoded rotated string array, integer opaque predicates, char-code array constructors) that reads installer-owned secret files including ~/.npmrc, ~/.aws/credentials, ~/.ssh/*, ~/.docker/config.json and.env, bulk-scrapes process.env, and collects host identifiers (os.hostname, os.userInfo, network interfaces). The collected payload is XOR-encrypted with a key derived from the package identity, chunked into a 33-character alphabet, and exfiltrated as recursive DNS queries via dns.Resolver().resolve to a hardcoded external host — a channel chosen to bypass HTTP egress filtering and proxy allowlists. The install path is gated by an anti-analysis check that scans process.argv and NODE_OPTIONS for instrumentation fingerprints and runs a CPU-timing loop to detect VMs/debuggers, so sandboxed installs appear inert. The package additionally exhibits a dependency-confusion shape: it uses the @marketfront/* scope, its README labels it an 'Internal package — Platform Engineering Team', and its metadata (homepage/repository/bugs) points at *.marketfront.io hosts, indicating the public-registry publish is intended to be resolved in place of an internal package of the same name by a target organization's build pipeline. The README claim of 'anonymous telemetry' is a cover story that does not match the observed behavior.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
DynamicRequireEnvironmentVars
Supply chain
MinifiedTrivial
Manifest
NoLicense
scanned 2 file(s), 160 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/index.jsView file
2// dist/index.js L3: module.exports = require('../src/index.js');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L2

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/index.js
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowNo License