MAL-2026-5966
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cryptodao-backend/MAL-2026-5966.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5966
- Published
- 2026-06-17T03:39:24Z
- Modified
- 2026-06-17T06:02:02.001766104Z
- Summary
- Malicious code in cryptodao-backend (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (2dbe5f8614a264a8d3cdd2ecf8ecd2ad17292dbb5c5bcc25d0ae9d77eb8821df)
package.json declares
postinstall: node recon.js, which auto-runs onnpm install. recon.js (lines 30-46) scrapes a curated list of credential-bearing environment variables including AWSACCESSKEYID, AWSSECRETACCESSKEY, NPMTOKEN, CIREGISTRYPASSWORD, GITLABACCESSTOKEN, SSHPRIVATEKEY, PRIVATEKEY, MNEMONIC, and DB_PASSWORD. It additionally enumerates and reads.env files at multiple paths outside the package's own scope (.env,../.env,/app/.env,/home/gitlab-runner/.env,/root/.env), filtering lines matching /KEY|SECRET|TOKEN|PASS|PRIVATE|MNEMONIC/i. The collected JSON payload is POSTed (recon.js:84-87, 99-106) over HTTPS withrejectUnauthorized:falseto two attacker-controlled endpoints:https://webhook.site/d6d18927-e513-4df7-b019-58bfc64fe0ddandhttps://enqoojbegdvxj.x.pipedream.net/. The package self-describes as the "CryptoDAO internal cryptodao-backend module" and is published at version 99.99.99 — the canonical dependency-confusion shape designed to outrank a private internal package of the same name during npm resolution. A source comment in recon.js explicitly labels itself a "Dependency Confusion Reconnaissance Payload."Source: ossf-package-analysis (53a8a16fe6b574758e079eb66c47dc1dd063043bb38dd8e1534d357d43509270)
The OpenSSF Package Analysis project identified 'cryptodao-backend' @ 99.99.99 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
- Database specific
{ "malicious-packages-origins": [ { "import_time": "2026-06-17T03:48:43.099414945Z", "source": "ossf-package-analysis", "versions": [ "99.99.99" ], "sha256": "53a8a16fe6b574758e079eb66c47dc1dd063043bb38dd8e1534d357d43509270", "modified_time": "2026-06-17T03:39:24Z" }, { "id": "IN-MAL-2026-006862", "import_time": "2026-06-17T05:45:40.994292109Z", "versions": [ "99.99.99" ], "source": "amazon-inspector", "modified_time": "2026-06-17T04:04:28Z", "sha256": "2dbe5f8614a264a8d3cdd2ecf8ecd2ad17292dbb5c5bcc25d0ae9d77eb8821df" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- OpenSSF: Package Analysis - FINDER
-
Affected packages
npm / cryptodao-backend
Package
- Name
- cryptodao-backend
- View open source insights on deps.dev
- Purl
- pkg:npm/cryptodao-backend
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cryptodao-backend/MAL-2026-5966.json"
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
indicators
{
"package_integrity": [
{
"filename": "cryptodao-backend-99.99.99.tgz",
"hashes": {
"sha1": "6fb6559b42a1a9d3fa11451b4894057713e4f57d",
"sha512_sri": "sha512-teLV8yelKhMy3ttXreEw8k/pIGCNIZWS6fj+HeRVzJ42grIKRe36wx2NHE2RdvH4Ai6sYRvfOjsdjWoCKiJEEg=="
}
}
],
"evidence_files": [
{
"path": "recon.js",
"sha256": "3dd1f7827fe311d17f442e0af0fab46f3f1a938bb3409838536795fb1aa0f740",
"tlsh": "e481c9f046f1623815622784541f1012917bf297f2a6bbf4b6dc023a0faa96045f6fef"
},
{
"path": "package.json",
"sha256": "d3d0024952b332974a65513a5292334aeca356600e70b0bf18dd56fd40f79f6c",
"tlsh": "08d0a7342d31bb233acd5a975c71990566b20d5f11009604038711a841fd2ba68ff21d"
}
]
}