{"id":"MAL-2026-5975","summary":"Malicious code in cryptodao-contracts (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (21c450a1d14c10213b83137f9c0670a9d8ed953105f96d66eedee78a56479d82)\nPackage is published as version 99.99.99 to win private-vs-public resolution against an internal `cryptodao-contracts` namespace. The package's main module is a one-line stub; the real payload runs from the postinstall script `recon.js`. On `npm install`, recon.js enumerates a hardcoded list of installer-side secret environment variables (AWS_SECRET_ACCESS_KEY, SSH_PRIVATE_KEY, NPM_TOKEN, GITLAB_ACCESS_TOKEN, MNEMONIC, SEED_PHRASE, PRIVATE_KEY, DB_PASSWORD, etc.), reads `.env` files from installer-owned paths (`/root/.env`, `/app/.env`, `.env.production`), and grep-extracts lines matching KEY|SECRET|TOKEN|PASS|PRIVATE|MNEMONIC. The collected secrets, hostname, user, cwd, and CI build-directory listings are POSTed over HTTPS to two attacker-controlled endpoints, `webhook.site/d6d18927-e513-4df7-b019-58bfc64fe0dd` and `enqoojbegdvxj.x.pipedream.net`, with TLS verification disabled (`rejectUnauthorized: false`). Self-described in source as a 'CryptoDAO Dependency Confusion Reconnaissance Payload'.\n","modified":"2026-06-17T06:02:02.385134502Z","published":"2026-06-17T04:04:31Z","database_specific":{"malicious-packages-origins":[{"sha256":"21c450a1d14c10213b83137f9c0670a9d8ed953105f96d66eedee78a56479d82","modified_time":"2026-06-17T04:04:31Z","versions":["99.99.99"],"id":"IN-MAL-2026-006867","source":"amazon-inspector","import_time":"2026-06-17T05:45:41.242143797Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/cryptodao-contracts/v/99.99.99"}],"affected":[{"package":{"name":"cryptodao-contracts","ecosystem":"npm","purl":"pkg:npm/cryptodao-contracts"},"versions":["99.99.99"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-fJNlzicPayxBTnOhWgJaN5S9h+yhbyj4eY4Dg49sozudHXZeB+TvHkb3L43kEndPRl6nKiKSt9TQdsx+PoP7FA==","sha1":"df322dcf49638288a3fcfb1f2631145d7d27710c"},"filename":"cryptodao-contracts-99.99.99.tgz"}],"evidence_files":[{"path":"recon.js","tlsh":"e481c9f046f1623815622784541f1012917bf297f2a6bbf4b6dc023a0faa96045f6fef","sha256":"3dd1f7827fe311d17f442e0af0fab46f3f1a938bb3409838536795fb1aa0f740"},{"path":"package.json","tlsh":"60d0a7352d72fb3336cd1ba76835d40526b15e5e5104960903c7216941ed1f664ff359","sha256":"c6efdcef6c3731ec4440dda561911e831181435169eb5fe5d4f41335cd7f1d9a"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cryptodao-contracts/MAL-2026-5975.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}