{"id":"MAL-2026-5970","summary":"Malicious code in cryptodao-types (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (39fca1d76ba65e01fbd3319d6752bb0dc896f9cc356676c6bfad3671d8b1e0d9)\nOn `npm install`, the package's postinstall script (recon.js) harvests installer-side secrets and POSTs them to attacker-controlled webhook endpoints. The script collects hostname, username, cwd, and roughly 40 named environment variables including AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, NPM_TOKEN, GITLAB_ACCESS_TOKEN, SSH_PRIVATE_KEY, PRIVATE_KEY, MNEMONIC, SEED_PHRASE, and DB_PASSWORD. It also reads `.env` and `.env.production` files from the current working directory, parent directories, `/`, `/app`, and `/root`, and enumerates `/builds` and gitlab-runner directories. The collected payload is then sent via HTTPS to `webhook.site/d6d18927-e513-4df7-b019-58bfc64fe0dd` and `enqoojbegdvxj.x.pipedream.net` with `rejectUnauthorized: false` to bypass TLS-inspecting corporate proxies. The package name combined with version 99.99.99 and the internal-sounding description is consistent with a dependency-confusion attack targeting an organization's internal CI builds.\n\n## Source: ossf-package-analysis (366efc73a08168b218b200ec6b3eb29daf6e48834e7b53b50bc931b7f90bf91b)\nThe OpenSSF Package Analysis project identified 'cryptodao-types' @ 99.99.99 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-06-17T06:02:02.983871723Z","published":"2026-06-17T03:44:42Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-17T03:48:43.219360269Z","versions":["99.99.99"],"source":"ossf-package-analysis","sha256":"366efc73a08168b218b200ec6b3eb29daf6e48834e7b53b50bc931b7f90bf91b","modified_time":"2026-06-17T03:44:42Z"},{"import_time":"2026-06-17T05:45:41.175035727Z","versions":["99.99.99"],"source":"amazon-inspector","sha256":"39fca1d76ba65e01fbd3319d6752bb0dc896f9cc356676c6bfad3671d8b1e0d9","id":"IN-MAL-2026-006865","modified_time":"2026-06-17T04:04:30Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/cryptodao-types/v/99.99.99"}],"affected":[{"package":{"name":"cryptodao-types","ecosystem":"npm","purl":"pkg:npm/cryptodao-types"},"versions":["99.99.99"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cryptodao-types/MAL-2026-5970.json","indicators":{"package_integrity":[{"filename":"cryptodao-types-99.99.99.tgz","hashes":{"sha1":"9d2cfef56670557c8ebfdd960f625b4b42caccfb","sha512_sri":"sha512-iicG4qLkpgoZto/fRij4Be3SrVQ4uWw5GlNESTE7cytFub3Vcqavj5r4Dfb19WP5KFXPLpuHpn2DiA30eC2KIA=="}}],"evidence_files":[{"sha256":"3dd1f7827fe311d17f442e0af0fab46f3f1a938bb3409838536795fb1aa0f740","tlsh":"e481c9f046f1623815622784541f1012917bf297f2a6bbf4b6dc023a0faa96045f6fef","path":"recon.js"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}