Feed
HighPublished 1 Jul 2026Updated 4 Jul 20268 packages · 8 versions

`@marketfront` dependency-confusion Wave 4 — 25 npm packages batch-published at `7.0.0` reuse the "Internal package — Platform Engineering Team" lure

Summary

On 2026-07-01 22:59 UTC the npm account marketfront created the @marketfront scope and batch-published 25 e-commerce / marketing-frontend packages in a ~3-minute window, all at version 7.0.0. Every package carries a postinstall credential-file harvester (~20 secret files including ~/.ssh, ~/.aws/credentials, ~/.kube/config, ~/.npmrc, ~/.env) and the identical README lure "Internal package — Platform Engineering Team" — Wave 4 of the SafeDep-tracked oob.moika.tech operator lineage.

dependency-confusioncredential-theftobfuscationdns-exfiltration
Detected by
SafeDep
Also known as
oob.moika.tech Wave 4 · marketfront campaign · Internal package — Platform Engineering Team lure
Ecosystems
npm
Packages tracked
8

What happened

On 2026-07-01 22:59:33 UTC, the npm account marketfront created the @marketfront scope and, within a roughly three-minute window, batch-published 25 packages — every one at version 7.0.0. SafeDep's Abhisek Datta published the analysis on 2026-07-01 and tracks this as Wave 4 of a multi-wave dependency-confusion campaign run by a single operator who rotates disposable npm accounts and email identities. The prior aliases in the same lineage are mr.4nd3r50n, pik-libs, t-in-one, and emcd-vue.

The lure is constant, the payload evolves

The README of every package in the batch contains the same string:

> Internal package — Platform Engineering Team

SafeDep has observed this exact marker on packages published by all four prior accounts. The behaviour behind it, however, is not constant: earlier waves ran a broad process.env beacon; Wave 4 is a targeted credential-file harvester with an RC4-hidden command-and-control host. The payload dynamically requires fs, os, http, https, zlib, path, and dns, reads roughly twenty credential and secret files (~/.ssh, ~/.aws/credentials, ~/.kube/config, ~/.docker/config.json, ~/.npmrc, ~/.netrc, ~/.pgpass, ~/.git-credentials, ~/.env, plus shell history), and exfiltrates the collected data as a gzip-compressed HTTPS POST with a custom X-Secret header to the path /api/v1/events. A DNS-resolver beacon runs alongside the HTTPS POST, so even hosts that block outbound https: to unknown destinations can still leak metadata via the resolver channel.

Package naming — a marketplace / livestream-commerce clone

The 25 slugs read as the frontend modules of an online marketplace. SafeDep publicly names eight of the twenty-five:

  • @marketfront/header
  • @marketfront/footer
  • @marketfront/navbar
  • @marketfront/bannerpopup
  • @marketfront/customdealsfeed
  • @marketfront/fashiononboardingpopup
  • @marketfront/livestreampreviewpopup
  • @marketfront/designsystemdevtool

The seventeen unenumerated members of the batch are not disclosed in publicly indexed excerpts of the SafeDep report; defenders should treat every dependency in the @marketfront/* scope as suspect regardless of module name, and block the entire scope at any private registry proxy.

Dependency-confusion mechanics

7.0.0 was picked as a version that beats any plausible internal release in the 0.x6.x range. If the target organisation's internal Artifactory / Nexus / Verdaccio ever falls through to the public npm registry — because of a mis-scoped .npmrc, a CI runner that lost its private-mirror auth, or a fresh Docker image without the internal mirror configured — the public @marketfront/<name>@7.0.0 wins SemVer resolution and the postinstall harvester runs.

Campaign lineage — Wave 1 through Wave 4

  • Wave 1 (2026-05-28) — accounts mr.4nd3r50n, ce-rwb, t-in-one push @cloudplatform-single-spa, @t-in-one, @ce-rwb, @wb-track, @data-science, @payments-widget, @travel-autotests, @capibar.chat, @sber-ecom-core. Payload is a process.env dump to oob.moika.tech/report with an X-Secret header. Documented by Microsoft and Aikido; catalogued at npm-2026-05-28-moika-dependency-confusion.
  • Waves 2–3 (May – June 2026) — accounts pik-libs and emcd-vue continue the pattern under fresh scopes; the "Internal package — Platform Engineering Team" README marker stays constant.
  • Wave 4 (2026-07-01) — account marketfront, scope @marketfront, 25 packages at 7.0.0. Payload has hardened into a 20-file credential harvester with an RC4-hidden C2, X-Secret header, /api/v1/events sink, plus a DNS resolver beacon.

Attribution

SafeDep attributes all four waves to a single operator based on: identical README lure across every wave; identical publish tempo (3-minute batch bursts); reuse of X-Secret as the exfil header name; and scope-creation-then-batch-publish rhythm. The operator has not been claimed by, or attributed to, any named nation-state or crimeware group. No formal GHSA record for the @marketfront/* batch is public as of 2026-07-04.

Affected packages (8)

  • npm@marketfront/bannerpopup
    7.0.0
  • npm@marketfront/customdealsfeed
    7.0.0
  • npm@marketfront/designsystemdevtool
    7.0.0
  • npm@marketfront/fashiononboardingpopup
    7.0.0
  • npm@marketfront/footer
    7.0.0
  • npm@marketfront/header
    7.0.0
  • npm@marketfront/livestreampreviewpopup
    7.0.0
  • npm@marketfront/navbar
    7.0.0

Impact

  • Postinstall hook (node scripts/postinstall.js) dumps roughly 20 credential and secret files — ~/.ssh private keys, ~/.aws/credentials, ~/.kube/config, ~/.docker/config.json, ~/.npmrc, ~/.netrc, ~/.pgpass, ~/.git-credentials, ~/.env, and shell history — as a gzip-compressed HTTPS POST /api/v1/events with a custom X-Secret header
  • Payload is an obfuscator.io-style single-line stager that dynamically requires fs, os, http, https, zlib, path, and dns; the C2 host is RC4-hidden and resolved at runtime so a static grep on package source misses it
  • Adds a DNS-resolver beacon channel alongside the HTTPS POST — even egress firewalls that block outbound https: to unknown hosts may still leak metadata via DNS lookups the resolver performs
  • Dependency-confusion targeting: the 25 slugs (@marketfront/header, @marketfront/footer, @marketfront/navbar, @marketfront/bannerpopup, @marketfront/customdealsfeed, @marketfront/fashiononboardingpopup, @marketfront/livestreampreviewpopup, @marketfront/designsystemdevtool, plus 17 more not publicly enumerated) read as the internal frontend modules of a marketplace or livestream-commerce platform — the operator picked a very specific corporate namespace and mirrored its plausible module list
  • Version 7.0.0 was chosen so any private-mirror release in the realistic 0.x6.x range loses SemVer resolution against the public 7.0.0 if the client ever falls through to the public registry
  • Same operator lineage as the 2026-05-28 oob.moika.tech burst (Microsoft-tracked, aliases mr.4nd3r50n / ce-rwb / t-in-one) and the 2026-05-28 vpmdhaj OpenSearch typosquats — the "Internal package — Platform Engineering Team" README marker has been constant across waves while the payload evolved from a process.env beacon (Wave 1) into the current 20-file credential harvester with an RC4-hidden C2 (Wave 4)
  • Payload analysis is identical across the sampled packages in the batch — consistent with a scripted publish, not per-package development. Anyone whose CI or dev machine resolved a @marketfront/* 7.0.0 between 2026-07-01 23:00 UTC and takedown should treat every credential the host could reach as compromised

What to do

  1. 1Audit every package.json, lockfile, .npmrc, and CI image layer for any dependency under @marketfront/* — see the packages map below for the eight confirmed names, and block the entire @marketfront scope at your registry proxy so the seventeen unenumerated packages in the batch are also caught
  2. 2If your build ever resolved 7.0.0 of any @marketfront/* package: treat the build runner and any artefact it produced as fully compromised. Rotate SSH keys, ~/.aws/credentials, ~/.kube/config, ~/.docker/config.json, npm tokens, git credentials, and any secret present in ~/.env or the shell environment — from a separate clean device
  3. 3Register every internal @scope your organisation uses on the public npm registry (even as a stub) so a future Wave-5 squat under a fresh scope cannot resolve — this is the only durable defence against the oob.moika.tech operator's playbook
  4. 4Pin your registry: use .npmrc to route every internal @scope to your internal mirror exclusively (e.g. @marketfront:registry=https://internal/) so the public-registry path is never queried for those scopes
  5. 5Hunt outbound HTTPS POST requests to any /api/v1/events path with a custom X-Secret header from CI runners or developer workstations, and hunt DNS queries for any resolver beacon pattern originating from a Node.js process context during the exposure window (2026-07-01 22:59 UTC → npm take-down)
  6. 6Run npm ci --ignore-scripts (or the pnpm / yarn equivalent) in CI for any build that does not need lifecycle scripts — the postinstall harvester is the entire execution vector for this cluster

References

npm-2026-07-01-marketfront-dep-confusion-wave4