MAL-2026-5968

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cryptodao-deploy/MAL-2026-5968.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5968
Published
2026-06-17T03:46:50Z
Modified
2026-06-17T06:02:02.818528570Z
Summary
Malicious code in cryptodao-deploy (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (5323b2fc30e7603b402729f45345a9c3eb4af8361acaca5d035cc51f9e660cea)

package.json declares postinstall: node recon.js, which fires automatically on npm install. recon.js enumerates installer-side secrets — AWSSECRETACCESSKEY, NPMTOKEN, GITLABACCESSTOKEN, SSHPRIVATEKEY, DBPASSWORD, MNEMONIC and similar credential-shaped environment variables — reads .env files at multiple paths, and lists CI runner directories such as /builds/ and /home/gitlab-runner/. It also collects host/identity reconnaissance (hostname, platform, user, cwd, CIPROJECTPATH, CIJOBID, CIREGISTRY_USER/PASSWORD). The collected data is JSON-serialized and POSTed via https.request with rejectUnauthorized:false to webhook.site/d6d18927-e513-4df7-b019-58bfc64fe0dd and enqoojbegdvxj.x.pipedream.net. The package is named cryptodao-deploy and published at version 99.99.99 with an in-source comment 'CryptoDAO Dependency Confusion Reconnaissance Payload', indicating intent to override an internal private package via dependency-confusion resolution and run the exfil payload inside the victim's CI.

Source: ossf-package-analysis (2611f17b04a754eafe632f845f449c6bd036c048ac8b1c31295491524ccaecaa)

The OpenSSF Package Analysis project identified 'cryptodao-deploy' @ 99.99.99 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.
Database specific 
{
    "malicious-packages-origins": [
        {
            "sha256": "2611f17b04a754eafe632f845f449c6bd036c048ac8b1c31295491524ccaecaa",
            "source": "ossf-package-analysis",
            "modified_time": "2026-06-17T03:46:50Z",
            "versions": [
                "99.99.99"
            ],
            "import_time": "2026-06-17T03:48:43.502976735Z"
        },
        {
            "sha256": "5323b2fc30e7603b402729f45345a9c3eb4af8361acaca5d035cc51f9e660cea",
            "source": "amazon-inspector",
            "modified_time": "2026-06-17T04:04:31Z",
            "id": "IN-MAL-2026-006866",
            "versions": [
                "99.99.99"
            ],
            "import_time": "2026-06-17T05:45:41.210826006Z"
        }
    ]
}
References
Credits

Affected packages

npm / cryptodao-deploy

Package

Name
cryptodao-deploy
View open source insights on deps.dev
Purl
pkg:npm/cryptodao-deploy

Affected ranges

Affected versions

99.*
99.99.99

Database specific

cwes 
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cryptodao-deploy/MAL-2026-5968.json"
indicators 
{
    "evidence_files": [
        {
            "sha256": "3dd1f7827fe311d17f442e0af0fab46f3f1a938bb3409838536795fb1aa0f740",
            "tlsh": "e481c9f046f1623815622784541f1012917bf297f2a6bbf4b6dc023a0faa96045f6fef",
            "path": "recon.js"
        },
        {
            "sha256": "e9029f9788760b0bd144f5a63a6d7532d607c3bfe0196bae4efc4568851b6abc",
            "tlsh": "83d0a7341d31bb2335cd9a978832940536f14d5f51009a04038b11ac46ed1f664ff25d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-S0UVH9P5xedQRn3hMHIbgE6owMxVOLYhfDrF0vuFrPLXKJy8oJq/gRyCGBfaC2cROx/nj6YD6ZyohxX238KsEQ==",
                "sha1": "1f71ef274f3ff9b7ef3ef831925ce81c02c99bd8"
            },
            "filename": "cryptodao-deploy-99.99.99.tgz"
        }
    ]
}