registry  /  @marketfront/commonecommerce  /  7.0.0

@marketfront/commonecommerce@7.0.0

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6771 confirms this npm version as malicious. The @marketfront/commonecommerce package is part of a 25-package malicious campaign batch-published to the @marketfront npm scope by npm user 'marketfront' (marketfront@tutamail.com) within a roughly 3-minute window on 2026-07-01. All packages in the campaign were published at version 7.0.0 and use e-commerce/marketing frontend component names as cover.

Advisory
MAL-2026-6771
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @marketfront/commonecommerce (npm)
Details
The @marketfront/commonecommerce package is part of a 25-package malicious campaign batch-published to the @marketfront npm scope by npm user 'marketfront' (marketfront@tutamail.com) within a roughly 3-minute window on 2026-07-01. All packages in the campaign were published at version 7.0.0 and use e-commerce/marketing frontend component names as cover. The package declares a postinstall hook (node scripts/postinstall.js) that executes heavily obfuscated (obfuscator.io-style) code automatically at npm install time. Static analysis of the decoded payload revealed a credential harvester that dynamically requires fs, os, http, https, zlib, path and dns, then reads approximately 20 sensitive credential files including ~/.ssh, ~/.aws/credentials, ~/.kube/config, ~/.docker/config.json, ~/.npmrc, ~/.netrc, ~/.pgpass, ~/.git-credentials, ~/.env and ~/.bash_history. Collected data is exfiltrated via a gzip-compressed HTTPS POST with a custom X-Secret header to the path /api/v1/events, alongside a DNS resolver beacon. The command-and-control host is concealed behind an additional RC4+XOR encryption layer around an embedded configuration blob and was not statically resolved. The decoded behavioral payload (module requires, credential-file target list, exfiltration headers and endpoint) is byte-for-byte identical across sampled packages in the campaign. The campaign shares tooling and infrastructure patterns (obfuscated postinstall credential harvester, X-Secret header, /api/v1/events exfiltration path, RC4-concealed C2) with the earlier @emcd-vue campaign, indicating the same actor rotating scopes and disposable maintainer emails. --- ## Source: amazon-inspector (b3c312ca92f800ad787ffb20a7c333e8308f503e9baa461359a978a9d9e808e9) This package is a malicious install-time credential/host harvester wearing a fake corporate-telemetry cover story. On `npm install`, the `postinstall` lifecycle hook runs `scripts/postinstall.js`, a 162 KB obfuscator.io-style bundle that uses a shuffled string array with RC4+base64 decoders (`a0d/a0e/a0f`) to hide every literal, including all `require(...)` module names (`fs`, `http`, `https`, `dns`, `os`) and destination hosts. At install time it collects `process.env` in full, hostname/username/OS/CPU/arch, the npm user-agent, and named Windows env vars (`USERDOMAIN`, `COMPUTERNAME`, `APPDATA`, `LOCALAPPDATA`, `PROGRAMDATA`, `TEMP`, `NODE_OPTIONS`), plus reads local files via `fs.readFileSync` and directory listings via `readdirSync`. The collected data is RC4-encrypted and shipped over two parallel channels: (1) an HTTPS POST to a runtime-assembled host (`lpqgnt` builds `{hostname, port, path, method:'POST',...}` from decoded string-array entries), and (2) DNS-label tunneling (`oaulmd` chunks the encrypted payload with `/.{1,50}/g` and issues `resolve('<chunk>.<idx>.<rand>.<host>')` queries against a hardcoded resolver) — a covert channel designed to bypass HTTP egress filtering. Before exfiltrating, the payload inspects `process.argv`, `process.execPath`, `process.env.NODE_OPTIONS`, and a wall-clock timing check to detect analysis environments, and defers execution behind a randomized `setTimeout`. The package presents itself as an internal 'Marketfront Platform Engineering' metrics client (author `platform@marketfront.io`, homepage `docs.marketfront.io`, README claiming 'anonymous telemetry to telemetry.marketfront.io' and instructing users to point `.npmrc` at `npm.marketfront.io`), but none of that infrastructure exists as a real organization — it is dependency-confusion cover. The advertised library API is non-functional: `dist/index.js` is a two-line stub re-exporting `../src/index.js`, and `src/` is not shipped, so the postinstall dropper is the only reachable code.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
DynamicRequireEnvironmentVars
Supply chain
MinifiedTrivial
Manifest
NoLicense
scanned 2 file(s), 159 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/index.jsView file
2// dist/index.js L3: module.exports = require('../src/index.js');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L2

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/index.js
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowNo License