Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

MAL-2026-6766: Malicious code in @marketfront/baobabtech (npm)

0
Critical
Published: 07/02/2026 (07/02/2026, 00:00:00 UTC)
Source: GCVE Database
Product: @marketfront/baobabtech

Description

The @marketfront/baobabtech npm package version 7.0.0 is part of a malicious campaign involving 25 packages published within a short time frame. It contains a heavily obfuscated postinstall script that executes automatically during npm install. This script harvests sensitive credentials and environment information from the host, including SSH keys, AWS credentials, Kubernetes configs, Docker configs, npm and git credentials, and various environment variables. The stolen data is exfiltrated via a compressed HTTPS POST request to a concealed command-and-control server. The campaign shares infrastructure and techniques with a prior malicious campaign, indicating a recurring threat actor. This package falsely advertises itself as a database utility but performs unauthorized credential theft at install time.

Affected software

npmghsa
@marketfront/baobabtech
Affected versions
=7.0.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/06/2026, 23:40:58 UTC

Technical Analysis

The @marketfront/baobabtech package at version 7.0.0 includes a postinstall lifecycle hook that runs an obfuscated ~160 KB payload encoded with obfuscator.io and protected by RC4/XOR encryption and anti-analysis checks. Upon installation, it collects extensive environment and system information, reads approximately 20 sensitive credential files from the filesystem, and exfiltrates this data via a gzip-compressed HTTPS POST request with a custom X-Secret header to a hidden API endpoint. The command-and-control infrastructure is concealed behind additional encryption layers. This behavior is consistent across all packages in the campaign and matches patterns from a previous campaign under a different npm scope, indicating the same attacker rotating scopes and maintainer identities. The package’s advertised functionality does not justify such extensive data collection, confirming malicious intent.

Potential Impact

Installation of @marketfront/baobabtech version 7.0.0 results in automatic execution of malicious code that steals a wide range of sensitive credentials and environment data from the host system. This can lead to credential compromise across multiple services (SSH, AWS, Kubernetes, Docker, npm, git, databases, etc.), potentially enabling unauthorized access, lateral movement, and further compromise of development and production environments. The exfiltration of this data to a concealed command-and-control server facilitates attacker persistence and exploitation.

Mitigation Recommendations

No official patch or remediation is currently available for this malicious package. The package should be considered malicious and immediately removed from any projects or environments where it is installed. Avoid installing packages from the @marketfront npm scope or any packages published by the user 'marketfront' until further notice. Employ strict package source verification and supply chain security controls to prevent installation of untrusted or suspicious packages. Monitor for presence of this package and related artifacts in development and build environments.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
MAL-2026-6766
Osv Schema Version
1.7.4
Aliases
[]
Ecosystems
["npm"]
Database Specific Severity
null
Cvss Version
null

Threat ID: 6a4c348527e9c79719607437

Added to database: 07/06/2026, 23:04:37 UTC

Last enriched: 07/06/2026, 23:40:58 UTC

Last updated: 07/07/2026, 00:51:10 UTC

Views: 5

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses