Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

MAL-2026-6764: Malicious code in @marketfront/advertisingdevtool (npm)

0
Critical
Published: 07/02/2026 (07/02/2026, 00:00:00 UTC)
Source: GCVE Database
Product: @marketfront/advertisingdevtool

Description

The @marketfront/advertisingdevtool npm package version 7.0.0 is part of a malicious campaign involving 25 packages published within a short time frame. It contains a heavily obfuscated postinstall script that executes automatically during npm install, harvesting sensitive credentials from the host system. The harvested data includes SSH keys, AWS credentials, Kubernetes configs, Docker configs, npm tokens, Git credentials, environment files, and shell history. The stolen data is exfiltrated via encrypted HTTPS POST requests and DNS tunneling to a concealed command-and-control server. The package uses anti-analysis techniques to evade detection and presents a false cover story targeting organizations using private npm scopes.

Affected software

npmghsa
@marketfront/advertisingdevtool
Affected versions
=7.0.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/06/2026, 23:41:07 UTC

Technical Analysis

This threat involves a malicious npm package, @marketfront/advertisingdevtool version 7.0.0, which executes an obfuscated postinstall script upon installation. The script collects extensive host reconnaissance data and reads approximately 20 sensitive credential files from the user's home directory. It encrypts and exfiltrates this data via two channels: an HTTPS POST with a custom X-Secret header and a DNS tunnel using encrypted subdomain labels. The package employs anti-debugging and anti-analysis checks to avoid detection. This campaign shares infrastructure and tooling with a previous campaign (@emcd-vue), indicating a recurring threat actor rotating scopes and maintainer identities. The package masquerades as an internal configuration loader with fake internal URLs to mislead victims.

Potential Impact

The impact is the unauthorized collection and exfiltration of a wide range of sensitive credentials and environment data from infected hosts. This can lead to credential compromise, unauthorized access to cloud services, source code repositories, container registries, and other critical infrastructure. The anti-analysis features increase the difficulty of detection and analysis, potentially allowing prolonged undetected compromise.

Mitigation Recommendations

No official patch or fix is available for this malicious package. The package should be considered malicious and removed immediately if found in any environment. Users and organizations should audit their dependencies for the presence of @marketfront/advertisingdevtool version 7.0.0 and any other packages from the @marketfront scope published on 2026-07-01 at version 7.0.0. Avoid installing or using these packages. Implement strict supply chain security practices such as verifying package provenance and using trusted registries. Monitor for suspicious network activity related to exfiltration channels described. Since this is a malicious package, remediation involves removal and credential rotation for any potentially compromised secrets.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
MAL-2026-6764
Osv Schema Version
1.7.4
Aliases
[]
Ecosystems
["npm"]
Database Specific Severity
null
Cvss Version
null

Threat ID: 6a4c348527e9c7971960743c

Added to database: 07/06/2026, 23:04:37 UTC

Last enriched: 07/06/2026, 23:41:07 UTC

Last updated: 07/06/2026, 23:51:10 UTC

Views: 4

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses