MAL-2026-6764: Malicious code in @marketfront/advertisingdevtool (npm)
The @marketfront/advertisingdevtool npm package version 7.0.0 is part of a malicious campaign involving 25 packages published within a short time frame. It contains a heavily obfuscated postinstall script that executes automatically during npm install, harvesting sensitive credentials from the host system. The harvested data includes SSH keys, AWS credentials, Kubernetes configs, Docker configs, npm tokens, Git credentials, environment files, and shell history. The stolen data is exfiltrated via encrypted HTTPS POST requests and DNS tunneling to a concealed command-and-control server. The package uses anti-analysis techniques to evade detection and presents a false cover story targeting organizations using private npm scopes.
AI Analysis
Technical Summary
This threat involves a malicious npm package, @marketfront/advertisingdevtool version 7.0.0, which executes an obfuscated postinstall script upon installation. The script collects extensive host reconnaissance data and reads approximately 20 sensitive credential files from the user's home directory. It encrypts and exfiltrates this data via two channels: an HTTPS POST with a custom X-Secret header and a DNS tunnel using encrypted subdomain labels. The package employs anti-debugging and anti-analysis checks to avoid detection. This campaign shares infrastructure and tooling with a previous campaign (@emcd-vue), indicating a recurring threat actor rotating scopes and maintainer identities. The package masquerades as an internal configuration loader with fake internal URLs to mislead victims.
Potential Impact
The impact is the unauthorized collection and exfiltration of a wide range of sensitive credentials and environment data from infected hosts. This can lead to credential compromise, unauthorized access to cloud services, source code repositories, container registries, and other critical infrastructure. The anti-analysis features increase the difficulty of detection and analysis, potentially allowing prolonged undetected compromise.
Mitigation Recommendations
No official patch or fix is available for this malicious package. The package should be considered malicious and removed immediately if found in any environment. Users and organizations should audit their dependencies for the presence of @marketfront/advertisingdevtool version 7.0.0 and any other packages from the @marketfront scope published on 2026-07-01 at version 7.0.0. Avoid installing or using these packages. Implement strict supply chain security practices such as verifying package provenance and using trusted registries. Monitor for suspicious network activity related to exfiltration channels described. Since this is a malicious package, remediation involves removal and credential rotation for any potentially compromised secrets.
MAL-2026-6764: Malicious code in @marketfront/advertisingdevtool (npm)
Description
The @marketfront/advertisingdevtool npm package version 7.0.0 is part of a malicious campaign involving 25 packages published within a short time frame. It contains a heavily obfuscated postinstall script that executes automatically during npm install, harvesting sensitive credentials from the host system. The harvested data includes SSH keys, AWS credentials, Kubernetes configs, Docker configs, npm tokens, Git credentials, environment files, and shell history. The stolen data is exfiltrated via encrypted HTTPS POST requests and DNS tunneling to a concealed command-and-control server. The package uses anti-analysis techniques to evade detection and presents a false cover story targeting organizations using private npm scopes.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a malicious npm package, @marketfront/advertisingdevtool version 7.0.0, which executes an obfuscated postinstall script upon installation. The script collects extensive host reconnaissance data and reads approximately 20 sensitive credential files from the user's home directory. It encrypts and exfiltrates this data via two channels: an HTTPS POST with a custom X-Secret header and a DNS tunnel using encrypted subdomain labels. The package employs anti-debugging and anti-analysis checks to avoid detection. This campaign shares infrastructure and tooling with a previous campaign (@emcd-vue), indicating a recurring threat actor rotating scopes and maintainer identities. The package masquerades as an internal configuration loader with fake internal URLs to mislead victims.
Potential Impact
The impact is the unauthorized collection and exfiltration of a wide range of sensitive credentials and environment data from infected hosts. This can lead to credential compromise, unauthorized access to cloud services, source code repositories, container registries, and other critical infrastructure. The anti-analysis features increase the difficulty of detection and analysis, potentially allowing prolonged undetected compromise.
Mitigation Recommendations
No official patch or fix is available for this malicious package. The package should be considered malicious and removed immediately if found in any environment. Users and organizations should audit their dependencies for the presence of @marketfront/advertisingdevtool version 7.0.0 and any other packages from the @marketfront scope published on 2026-07-01 at version 7.0.0. Avoid installing or using these packages. Implement strict supply chain security practices such as verifying package provenance and using trusted registries. Monitor for suspicious network activity related to exfiltration channels described. Since this is a malicious package, remediation involves removal and credential rotation for any potentially compromised secrets.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6764
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a4c348527e9c7971960743c
Added to database: 07/06/2026, 23:04:37 UTC
Last enriched: 07/06/2026, 23:41:07 UTC
Last updated: 07/06/2026, 23:51:10 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.