{"id":"MAL-2026-5968","summary":"Malicious code in cryptodao-deploy (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (5323b2fc30e7603b402729f45345a9c3eb4af8361acaca5d035cc51f9e660cea)\npackage.json declares `postinstall: node recon.js`, which fires automatically on `npm install`. recon.js enumerates installer-side secrets — AWS_SECRET_ACCESS_KEY, NPM_TOKEN, GITLAB_ACCESS_TOKEN, SSH_PRIVATE_KEY, DB_PASSWORD, MNEMONIC and similar credential-shaped environment variables — reads `.env` files at multiple paths, and lists CI runner directories such as `/builds/` and `/home/gitlab-runner/`. It also collects host/identity reconnaissance (hostname, platform, user, cwd, CI_PROJECT_PATH, CI_JOB_ID, CI_REGISTRY_USER/PASSWORD). The collected data is JSON-serialized and POSTed via `https.request` with `rejectUnauthorized:false` to webhook.site/d6d18927-e513-4df7-b019-58bfc64fe0dd and enqoojbegdvxj.x.pipedream.net. The package is named `cryptodao-deploy` and published at version 99.99.99 with an in-source comment 'CryptoDAO Dependency Confusion Reconnaissance Payload', indicating intent to override an internal private package via dependency-confusion resolution and run the exfil payload inside the victim's CI.\n\n## Source: ossf-package-analysis (2611f17b04a754eafe632f845f449c6bd036c048ac8b1c31295491524ccaecaa)\nThe OpenSSF Package Analysis project identified 'cryptodao-deploy' @ 99.99.99 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-06-17T06:02:02.818528570Z","published":"2026-06-17T03:46:50Z","database_specific":{"malicious-packages-origins":[{"source":"ossf-package-analysis","versions":["99.99.99"],"modified_time":"2026-06-17T03:46:50Z","sha256":"2611f17b04a754eafe632f845f449c6bd036c048ac8b1c31295491524ccaecaa","import_time":"2026-06-17T03:48:43.502976735Z"},{"id":"IN-MAL-2026-006866","versions":["99.99.99"],"sha256":"5323b2fc30e7603b402729f45345a9c3eb4af8361acaca5d035cc51f9e660cea","modified_time":"2026-06-17T04:04:31Z","source":"amazon-inspector","import_time":"2026-06-17T05:45:41.210826006Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/cryptodao-deploy/v/99.99.99"}],"affected":[{"package":{"name":"cryptodao-deploy","ecosystem":"npm","purl":"pkg:npm/cryptodao-deploy"},"versions":["99.99.99"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"filename":"cryptodao-deploy-99.99.99.tgz","hashes":{"sha1":"1f71ef274f3ff9b7ef3ef831925ce81c02c99bd8","sha512_sri":"sha512-S0UVH9P5xedQRn3hMHIbgE6owMxVOLYhfDrF0vuFrPLXKJy8oJq/gRyCGBfaC2cROx/nj6YD6ZyohxX238KsEQ=="}}],"evidence_files":[{"path":"recon.js","tlsh":"e481c9f046f1623815622784541f1012917bf297f2a6bbf4b6dc023a0faa96045f6fef","sha256":"3dd1f7827fe311d17f442e0af0fab46f3f1a938bb3409838536795fb1aa0f740"},{"path":"package.json","sha256":"e9029f9788760b0bd144f5a63a6d7532d607c3bfe0196bae4efc4568851b6abc","tlsh":"83d0a7341d31bb2335cd9a978832940536f14d5f51009a04038b11ac46ed1f664ff25d"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cryptodao-deploy/MAL-2026-5968.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}