npm · Malicious package advisory
Malware@marketfront/gotoauthpopup
MAL-2026-6781
Malicious code in @marketfront/gotoauthpopup (npm)
Details
The @marketfront/gotoauthpopup package is part of a 25-package malicious campaign batch-published to the @marketfront npm scope by npm user 'marketfront' (marketfront@tutamail.com) within a roughly 3-minute window on 2026-07-01. All packages in the campaign were published at version 7.0.0 and use e-commerce/marketing frontend component names as cover. The package declares a postinstall hook (node scripts/postinstall.js) that executes heavily obfuscated (obfuscator.io-style) code automatically at npm install time. Static analysis of the decoded payload revealed a credential harvester that dynamically requires fs, os, http, https, zlib, path and dns, then reads approximately 20 sensitive credential files including ~/.ssh, ~/.aws/credentials, ~/.kube/config, ~/.docker/config.json, ~/.npmrc, ~/.netrc, ~/.pgpass, ~/.git-credentials, ~/.env and ~/.bash_history. Collected data is exfiltrated via a gzip-compressed HTTPS POST with a custom X-Secret header to the path /api/v1/events, alongside a DNS resolver beacon. The command-and-control host is concealed behind an additional RC4+XOR encryption layer around an embedded configuration blob and was not statically resolved. The decoded behavioral payload (module requires, credential-file target list, exfiltration headers and endpoint) is byte-for-byte identical across sampled packages in the campaign. The campaign shares tooling and infrastructure patterns (obfuscated postinstall credential harvester, X-Secret header, /api/v1/events exfiltration path, RC4-concealed C2) with the earlier @emcd-vue campaign, indicating the same actor rotating scopes and disposable maintainer emails. --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (108121fd7d553c24c0990884bc6854df559111a77ae72d65a311d6f74fde6954) @marketfront/gotoauthpopup@7.0.0 declares a postinstall hook (scripts.postinstall: 'node scripts/postinstall.js') that automatically runs on npm install. scripts/postinstall.js is a single ~165 KB obfuscator.io-style bundle: an RC4-decoded rotated string array, a self-defending IIFE, and a guard that inspects process.argv and process.env.NODE_OPTIONS for debugger/inspector markers plus a busy-loop timing check and only executes the payload when no debugger is detected. When the guard passes, the script harvests installer host identity (hostname, username, homedir, arch, cpus, platform, release, network interfaces), a bulk dump of process.env, Windows-specific env (USERDOMAIN, COMPUTERNAME, APPDATA, LOCALAPPDATA, PROGRAMDATA, TEMP), enumerates the user's home directory via fs.readdirSync, and reads targeted config/credential files via fs.readFileSync. The collected data is RC4-encrypted and POSTed via https.request to a C2 host that is assembled at runtime from atob() fragments so the destination does not appear as a plaintext string in the source. A parallel covert channel base32-encodes the same ciphertext, splits it into ~50-character DNS labels, and issues dns.resolve4() queries against the same host used as the authoritative resolver, providing DNS-tunnel exfiltration to bypass HTTP egress filtering. The package additionally impersonates internal corporate infrastructure — repository github.marketfront.io, bugs jira.marketfront.io, homepage docs.marketfront.io, and README instructing developers to configure registry=https://npm.marketfront.io — a dependency-confusion cover story to induce installation of what appears to be an internal auth SDK. The declared main points at../src/index.js which is not shipped, so the package has no legitimate library functionality; its only on-install effect is the dropper. README framing of the postinstall as 'anonymous telemetry' does not apply — the behavior is bulk credential and configuration harvest with anti-analysis evasion and a covert side channel.
Compromised versions (1)
- 7.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.