{"id":"MAL-2026-5967","summary":"Malicious code in cryptodao-config (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (2b5f3b7ec6eecce3d891664f33660a1c612cdd3c6ac99ba52633ef77a2df543c)\nOn `npm install`, the postinstall hook runs `node recon.js`, which harvests installer-side secrets and POSTs them over HTTPS (with TLS certificate verification disabled) to two attacker-controlled collectors: `webhook.site/d6d18927-e513-4df7-b019-58bfc64fe0dd` and `enqoojbegdvxj.x.pipedream.net`. The payload (recon.js) reads a curated list of high-value environment variables — including `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `CI_JOB_TOKEN`, `CI_REGISTRY_PASSWORD`, `GITLAB_ACCESS_TOKEN`, `SSH_PRIVATE_KEY`, `NPM_TOKEN`, `MNEMONIC`, `PRIVATE_KEY`, `DB_PASSWORD` — reads multiple `.env` files (`./.env`, `/app/.env`, `/home/gitlab-runner/.env`, `/root/.env`) and filters lines matching `/KEY|SECRET|TOKEN|PASS|PRIVATE|MNEMONIC/i`, enumerates GitLab runner build directories (`/builds`, `/home/gitlab-runner/builds/`), and ships the resulting JSON to the two endpoints. The package is published at version `99.99.99` — the canonical dependency-confusion override version — and a comment in recon.js explicitly self-identifies as a 'CryptoDAO Dependency Confusion Reconnaissance Payload', confirming intent to be auto-installed by victim pipelines that maintain an internal `cryptodao-config` package.\n\n## Source: ossf-package-analysis (c9afe812a548e5d3b8158d3e359c37ec874e86c003476c8dc7b9de732113ca86)\nThe OpenSSF Package Analysis project identified 'cryptodao-config' @ 99.99.99 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-06-17T06:02:02.140061736Z","published":"2026-06-17T03:45:31Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-17T03:45:31Z","versions":["99.99.99"],"sha256":"c9afe812a548e5d3b8158d3e359c37ec874e86c003476c8dc7b9de732113ca86","import_time":"2026-06-17T03:48:43.355918912Z","source":"ossf-package-analysis"},{"id":"IN-MAL-2026-006861","import_time":"2026-06-17T05:45:40.95749882Z","versions":["99.99.99"],"sha256":"2b5f3b7ec6eecce3d891664f33660a1c612cdd3c6ac99ba52633ef77a2df543c","modified_time":"2026-06-17T04:04:27Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/cryptodao-config/v/99.99.99"}],"affected":[{"package":{"name":"cryptodao-config","ecosystem":"npm","purl":"pkg:npm/cryptodao-config"},"versions":["99.99.99"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cryptodao-config/MAL-2026-5967.json","indicators":{"evidence_files":[{"path":"recon.js","tlsh":"e481c9f046f1623815622784541f1012917bf297f2a6bbf4b6dc023a0faa96045f6fef","sha256":"3dd1f7827fe311d17f442e0af0fab46f3f1a938bb3409838536795fb1aa0f740"},{"path":"package.json","tlsh":"0ed0a7361d35bf2336dd1ea7983594052ab11f9f1141960803d7216842ed5b664ff359","sha256":"0d951aea6187f4e3fbde62c36c487fb5c89bcb82efc4528153efb5ca4408e031"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-5QLGL5zPrgxu+X+c3R7TmFA5ksGlLPfuwU2T7hOaMtCWo+4LRVn2yrGQ5xI8vdOqkwFSl48EzTZcjW+J/qgdTg==","sha1":"0db084acdae4f09ba9bbf57ad51dc76402731a3e"},"filename":"cryptodao-config-99.99.99.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}