npm · Malicious package advisory
Malware@marketfront/commonecommerce
MAL-2026-6771
Malicious code in @marketfront/commonecommerce (npm)
Details
The @marketfront/commonecommerce package is part of a 25-package malicious campaign batch-published to the @marketfront npm scope by npm user 'marketfront' (marketfront@tutamail.com) within a roughly 3-minute window on 2026-07-01. All packages in the campaign were published at version 7.0.0 and use e-commerce/marketing frontend component names as cover.
The package declares a postinstall hook (node scripts/postinstall.js) that executes heavily obfuscated (obfuscator.io-style) code automatically at npm install time. Static analysis of the decoded payload revealed a credential harvester that dynamically requires fs, os, http, https, zlib, path and dns, then reads approximately 20 sensitive credential files including ~/.ssh, ~/.aws/credentials, ~/.kube/config, ~/.docker/config.json, ~/.npmrc, ~/.netrc, ~/.pgpass, ~/.git-credentials, ~/.env and ~/.bash_history. Collected data is exfiltrated via a gzip-compressed HTTPS POST with a custom X-Secret header to the path /api/v1/events, alongside a DNS resolver beacon. The command-and-control host is concealed behind an additional RC4+XOR encryption layer around an embedded configuration blob and was not statically resolved.
The decoded behavioral payload (module requires, credential-file target list, exfiltration headers and endpoint) is byte-for-byte identical across sampled packages in the campaign. The campaign shares tooling and infrastructure patterns (obfuscated postinstall credential harvester, X-Secret header, /api/v1/events exfiltration path, RC4-concealed C2) with the earlier @emcd-vue campaign, indicating the same actor rotating scopes and disposable maintainer emails.
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (b3c312ca92f800ad787ffb20a7c333e8308f503e9baa461359a978a9d9e808e9)
This package is a malicious install-time credential/host harvester wearing a fake corporate-telemetry cover story. On `npm install`, the `postinstall` lifecycle hook runs `scripts/postinstall.js`, a 162 KB obfuscator.io-style bundle that uses a shuffled string array with RC4+base64 decoders (`a0d/a0e/a0f`) to hide every literal, including all `require(...)` module names (`fs`, `http`, `https`, `dns`, `os`) and destination hosts. At install time it collects `process.env` in full, hostname/username/OS/CPU/arch, the npm user-agent, and named Windows env vars (`USERDOMAIN`, `COMPUTERNAME`, `APPDATA`, `LOCALAPPDATA`, `PROGRAMDATA`, `TEMP`, `NODE_OPTIONS`), plus reads local files via `fs.readFileSync` and directory listings via `readdirSync`. The collected data is RC4-encrypted and shipped over two parallel channels: (1) an HTTPS POST to a runtime-assembled host (`lpqgnt` builds `{hostname, port, path, method:'POST',...}` from decoded string-array entries), and (2) DNS-label tunneling (`oaulmd` chunks the encrypted payload with `/.{1,50}/g` and issues `resolve('<chunk>.<idx>.<rand>.<host>')` queries against a hardcoded resolver) — a covert channel designed to bypass HTTP egress filtering. Before exfiltrating, the payload inspects `process.argv`, `process.execPath`, `process.env.NODE_OPTIONS`, and a wall-clock timing check to detect analysis environments, and defers execution behind a randomized `setTimeout`. The package presents itself as an internal 'Marketfront Platform Engineering' metrics client (author `platform@marketfront.io`, homepage `docs.marketfront.io`, README claiming 'anonymous telemetry to telemetry.marketfront.io' and instructing users to point `.npmrc` at `npm.marketfront.io`), but none of that infrastructure exists as a real organization — it is dependency-confusion cover. The advertised library API is non-functional: `dist/index.js` is a two-line stub re-exporting `../src/index.js`, and `src/` is not shipped, so the postinstall dropper is the only reachable code.
Compromised versions (1)
- 7.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.