registry  /  @marketfront/errorcounter  /  7.0.0

@marketfront/errorcounter@7.0.0

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6777 confirms this npm version as malicious. The @marketfront/errorcounter package is part of a 25-package malicious campaign batch-published to the @marketfront npm scope by npm user 'marketfront' (marketfront@tutamail.com) within a roughly 3-minute window on 2026-07-01. All packages in the campaign were published at version 7.0.0 and use e-commerce/marketing frontend component names as cover.

Advisory
MAL-2026-6777
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @marketfront/errorcounter (npm)
Details
The @marketfront/errorcounter package is part of a 25-package malicious campaign batch-published to the @marketfront npm scope by npm user 'marketfront' (marketfront@tutamail.com) within a roughly 3-minute window on 2026-07-01. All packages in the campaign were published at version 7.0.0 and use e-commerce/marketing frontend component names as cover. The package declares a postinstall hook (node scripts/postinstall.js) that executes heavily obfuscated (obfuscator.io-style) code automatically at npm install time. Static analysis of the decoded payload revealed a credential harvester that dynamically requires fs, os, http, https, zlib, path and dns, then reads approximately 20 sensitive credential files including ~/.ssh, ~/.aws/credentials, ~/.kube/config, ~/.docker/config.json, ~/.npmrc, ~/.netrc, ~/.pgpass, ~/.git-credentials, ~/.env and ~/.bash_history. Collected data is exfiltrated via a gzip-compressed HTTPS POST with a custom X-Secret header to the path /api/v1/events, alongside a DNS resolver beacon. The command-and-control host is concealed behind an additional RC4+XOR encryption layer around an embedded configuration blob and was not statically resolved. The decoded behavioral payload (module requires, credential-file target list, exfiltration headers and endpoint) is byte-for-byte identical across sampled packages in the campaign. The campaign shares tooling and infrastructure patterns (obfuscated postinstall credential harvester, X-Secret header, /api/v1/events exfiltration path, RC4-concealed C2) with the earlier @emcd-vue campaign, indicating the same actor rotating scopes and disposable maintainer emails. --- ## Source: amazon-inspector (d15a354db253fd90616eb7e33d8c09dd7dd36b691259ec737182a96f9b5d65ab) This package is a dependency-confusion lure targeting an internal `@marketfront` npm scope. The declared library entry point (`dist/index.js`) re-exports `../src/index.js`, which is not shipped — the package is non-functional as advertised. Its only real behavior is the declared `postinstall` hook (`node scripts/postinstall.js`), which is a heavily obfuscated (obfuscator.io-style string-array RC4 decoder, control-flow dead-code, function/property indirection) payload that runs automatically on `npm install`. At install time it collects `os.hostname`, `os.type`, `os.release`, `os.arch`, `os.version`, `os.homedir`, `os.userInfo().username`, `os.networkInterfaces`, the full `process.env`, and Windows-specific env vars (USERDOMAIN, COMPUTERNAME, APPDATA, LOCALAPPDATA, TEMP, PROGRAMDATA, npm_config_user_agent), packages them with the package name/version and a timestamp into a JSON blob, and ships the blob to a remote endpoint decoded from the obfuscated string array via HTTPS POST with a DNS-tunnel fallback (deliberate evasion of egress filtering). Before exfiltrating, the payload runs anti-analysis checks: it scans `process.argv` and `NODE_OPTIONS` against decoded tokens, requires `process.mainModule.filename` to match a decoded token, and executes a ~1e6-iteration `Date.now()` timing loop to detect sandboxes/debuggers, gating the exfil behind an internal flag. The combination of an obfuscated payload, anti-sandbox gating, dual exfil channels, a non-functional library shell, and an internal-scope cover story is unambiguous supply-chain malware. Any build system that mis-resolves the `@marketfront` scope to public npm will auto-run the stealer against its CI secrets, cloud tokens, and environment variables.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
DynamicRequireEnvironmentVars
Supply chain
MinifiedTrivial
Manifest
NoLicense
scanned 2 file(s), 158 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/index.jsView file
2// dist/index.js L3: module.exports = require('../src/index.js');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L2

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/index.js
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowNo License