MAL-2026-6766: Malicious code in @marketfront/baobabtech (npm)
The @marketfront/baobabtech npm package version 7.0.0 is part of a malicious campaign involving 25 packages published within a short time frame. It contains a heavily obfuscated postinstall script that executes automatically during npm install. This script harvests sensitive credentials and environment information from the host, including SSH keys, AWS credentials, Kubernetes configs, Docker configs, npm and git credentials, and various environment variables. The stolen data is exfiltrated via a compressed HTTPS POST request to a concealed command-and-control server. The campaign shares infrastructure and techniques with a prior malicious campaign, indicating a recurring threat actor. This package falsely advertises itself as a database utility but performs unauthorized credential theft at install time.
AI Analysis
Technical Summary
The @marketfront/baobabtech package at version 7.0.0 includes a postinstall lifecycle hook that runs an obfuscated ~160 KB payload encoded with obfuscator.io and protected by RC4/XOR encryption and anti-analysis checks. Upon installation, it collects extensive environment and system information, reads approximately 20 sensitive credential files from the filesystem, and exfiltrates this data via a gzip-compressed HTTPS POST request with a custom X-Secret header to a hidden API endpoint. The command-and-control infrastructure is concealed behind additional encryption layers. This behavior is consistent across all packages in the campaign and matches patterns from a previous campaign under a different npm scope, indicating the same attacker rotating scopes and maintainer identities. The package’s advertised functionality does not justify such extensive data collection, confirming malicious intent.
Potential Impact
Installation of @marketfront/baobabtech version 7.0.0 results in automatic execution of malicious code that steals a wide range of sensitive credentials and environment data from the host system. This can lead to credential compromise across multiple services (SSH, AWS, Kubernetes, Docker, npm, git, databases, etc.), potentially enabling unauthorized access, lateral movement, and further compromise of development and production environments. The exfiltration of this data to a concealed command-and-control server facilitates attacker persistence and exploitation.
Mitigation Recommendations
No official patch or remediation is currently available for this malicious package. The package should be considered malicious and immediately removed from any projects or environments where it is installed. Avoid installing packages from the @marketfront npm scope or any packages published by the user 'marketfront' until further notice. Employ strict package source verification and supply chain security controls to prevent installation of untrusted or suspicious packages. Monitor for presence of this package and related artifacts in development and build environments.
MAL-2026-6766: Malicious code in @marketfront/baobabtech (npm)
Description
The @marketfront/baobabtech npm package version 7.0.0 is part of a malicious campaign involving 25 packages published within a short time frame. It contains a heavily obfuscated postinstall script that executes automatically during npm install. This script harvests sensitive credentials and environment information from the host, including SSH keys, AWS credentials, Kubernetes configs, Docker configs, npm and git credentials, and various environment variables. The stolen data is exfiltrated via a compressed HTTPS POST request to a concealed command-and-control server. The campaign shares infrastructure and techniques with a prior malicious campaign, indicating a recurring threat actor. This package falsely advertises itself as a database utility but performs unauthorized credential theft at install time.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The @marketfront/baobabtech package at version 7.0.0 includes a postinstall lifecycle hook that runs an obfuscated ~160 KB payload encoded with obfuscator.io and protected by RC4/XOR encryption and anti-analysis checks. Upon installation, it collects extensive environment and system information, reads approximately 20 sensitive credential files from the filesystem, and exfiltrates this data via a gzip-compressed HTTPS POST request with a custom X-Secret header to a hidden API endpoint. The command-and-control infrastructure is concealed behind additional encryption layers. This behavior is consistent across all packages in the campaign and matches patterns from a previous campaign under a different npm scope, indicating the same attacker rotating scopes and maintainer identities. The package’s advertised functionality does not justify such extensive data collection, confirming malicious intent.
Potential Impact
Installation of @marketfront/baobabtech version 7.0.0 results in automatic execution of malicious code that steals a wide range of sensitive credentials and environment data from the host system. This can lead to credential compromise across multiple services (SSH, AWS, Kubernetes, Docker, npm, git, databases, etc.), potentially enabling unauthorized access, lateral movement, and further compromise of development and production environments. The exfiltration of this data to a concealed command-and-control server facilitates attacker persistence and exploitation.
Mitigation Recommendations
No official patch or remediation is currently available for this malicious package. The package should be considered malicious and immediately removed from any projects or environments where it is installed. Avoid installing packages from the @marketfront npm scope or any packages published by the user 'marketfront' until further notice. Employ strict package source verification and supply chain security controls to prevent installation of untrusted or suspicious packages. Monitor for presence of this package and related artifacts in development and build environments.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6766
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a4c348527e9c79719607437
Added to database: 07/06/2026, 23:04:37 UTC
Last enriched: 07/06/2026, 23:40:58 UTC
Last updated: 07/07/2026, 00:51:10 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.