MAL-2026-5967
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cryptodao-config/MAL-2026-5967.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5967
- Published
- 2026-06-17T03:45:31Z
- Modified
- 2026-06-17T06:02:02.140061736Z
- Summary
- Malicious code in cryptodao-config (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (2b5f3b7ec6eecce3d891664f33660a1c612cdd3c6ac99ba52633ef77a2df543c)
On
npm install, the postinstall hook runsnode recon.js, which harvests installer-side secrets and POSTs them over HTTPS (with TLS certificate verification disabled) to two attacker-controlled collectors:webhook.site/d6d18927-e513-4df7-b019-58bfc64fe0ddandenqoojbegdvxj.x.pipedream.net. The payload (recon.js) reads a curated list of high-value environment variables — includingAWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,CI_JOB_TOKEN,CI_REGISTRY_PASSWORD,GITLAB_ACCESS_TOKEN,SSH_PRIVATE_KEY,NPM_TOKEN,MNEMONIC,PRIVATE_KEY,DB_PASSWORD— reads multiple.envfiles (./.env,/app/.env,/home/gitlab-runner/.env,/root/.env) and filters lines matching/KEY|SECRET|TOKEN|PASS|PRIVATE|MNEMONIC/i, enumerates GitLab runner build directories (/builds,/home/gitlab-runner/builds/), and ships the resulting JSON to the two endpoints. The package is published at version99.99.99— the canonical dependency-confusion override version — and a comment in recon.js explicitly self-identifies as a 'CryptoDAO Dependency Confusion Reconnaissance Payload', confirming intent to be auto-installed by victim pipelines that maintain an internalcryptodao-configpackage.Source: ossf-package-analysis (c9afe812a548e5d3b8158d3e359c37ec874e86c003476c8dc7b9de732113ca86)
The OpenSSF Package Analysis project identified 'cryptodao-config' @ 99.99.99 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
- Database specific
{ "malicious-packages-origins": [ { "sha256": "c9afe812a548e5d3b8158d3e359c37ec874e86c003476c8dc7b9de732113ca86", "source": "ossf-package-analysis", "modified_time": "2026-06-17T03:45:31Z", "versions": [ "99.99.99" ], "import_time": "2026-06-17T03:48:43.355918912Z" }, { "sha256": "2b5f3b7ec6eecce3d891664f33660a1c612cdd3c6ac99ba52633ef77a2df543c", "source": "amazon-inspector", "modified_time": "2026-06-17T04:04:27Z", "id": "IN-MAL-2026-006861", "versions": [ "99.99.99" ], "import_time": "2026-06-17T05:45:40.95749882Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- OpenSSF: Package Analysis - FINDER
-
Affected packages
npm / cryptodao-config
Package
- Name
- cryptodao-config
- View open source insights on deps.dev
- Purl
- pkg:npm/cryptodao-config
Database specific
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cryptodao-config/MAL-2026-5967.json"
indicators
{
"evidence_files": [
{
"sha256": "3dd1f7827fe311d17f442e0af0fab46f3f1a938bb3409838536795fb1aa0f740",
"tlsh": "e481c9f046f1623815622784541f1012917bf297f2a6bbf4b6dc023a0faa96045f6fef",
"path": "recon.js"
},
{
"sha256": "0d951aea6187f4e3fbde62c36c487fb5c89bcb82efc4528153efb5ca4408e031",
"tlsh": "0ed0a7361d35bf2336dd1ea7983594052ab11f9f1141960803d7216842ed5b664ff359",
"path": "package.json"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-5QLGL5zPrgxu+X+c3R7TmFA5ksGlLPfuwU2T7hOaMtCWo+4LRVn2yrGQ5xI8vdOqkwFSl48EzTZcjW+J/qgdTg==",
"sha1": "0db084acdae4f09ba9bbf57ad51dc76402731a3e"
},
"filename": "cryptodao-config-99.99.99.tgz"
}
]
}