MAL-2026-5969
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cryptodao-sdk/MAL-2026-5969.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5969
- Published
- 2026-06-17T03:36:34Z
- Modified
- 2026-06-17T06:02:02.840536337Z
- Summary
- Malicious code in cryptodao-sdk (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (03ac58e81310f19b32d136445eab91f7ddc776921ff8dfd08bdb91bcdd4a1da6)
cryptodao-sdk@99.99.99 ships a postinstall script (recon.js) that runs automatically on
npm installand harvests installer-side secrets. The script enumerates a hardcoded list of credential-bearing environment variables (including AWSSECRETACCESSKEY, NPMTOKEN, CIJOBTOKEN, GitLab tokens, database passwords, PRIVATEKEY, MNEMONIC, RPC URLs, Docker credentials), reads.env files from common application paths, and lists CI build directories. The collected data, along with host metadata (hostname, platform, user, cwd), is POSTed over HTTPS to two attacker-controlled endpoints — webhook.site/d6d18927-... and enqoojbegdvxj.x.pipedream.net — with TLS verification explicitly disabled (rejectUnauthorized:false). A copy is also written to /tmp/.npmrecon_<ts>.json. The package.json sets version 99.99.99 (a classic dependency-confusion override to outrank private internal packages of the same name), the description claims it is an internal CryptoDAO module, and recon.js self-identifies in a comment as a 'CryptoDAO Dependency Confusion Reconnaissance Payload'. The combination of dep-confusion namespace abuse with install-time credential exfiltration is an unambiguous supply-chain attack.Source: ossf-package-analysis (2fd0b9ae70fe8613fefca34d371faf77a9c69e36f8756c3da390d16f486a40e9)
The OpenSSF Package Analysis project identified 'cryptodao-sdk' @ 99.99.99 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
- Database specific
{ "malicious-packages-origins": [ { "import_time": "2026-06-17T03:48:42.971156836Z", "versions": [ "99.99.99" ], "source": "ossf-package-analysis", "sha256": "2fd0b9ae70fe8613fefca34d371faf77a9c69e36f8756c3da390d16f486a40e9", "modified_time": "2026-06-17T03:36:34Z" }, { "id": "IN-MAL-2026-006868", "import_time": "2026-06-17T05:45:41.292912375Z", "source": "amazon-inspector", "versions": [ "99.99.99" ], "sha256": "03ac58e81310f19b32d136445eab91f7ddc776921ff8dfd08bdb91bcdd4a1da6", "modified_time": "2026-06-17T04:04:32Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- OpenSSF: Package Analysis - FINDER
-
Affected packages
npm / cryptodao-sdk
Package
- Name
- cryptodao-sdk
- View open source insights on deps.dev
- Purl
- pkg:npm/cryptodao-sdk
Database specific
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cryptodao-sdk/MAL-2026-5969.json"
indicators
{
"package_integrity": [
{
"filename": "cryptodao-sdk-99.99.99.tgz",
"hashes": {
"sha1": "e0c0093c63520fd079a356752278ca350dfb4b8d",
"sha512_sri": "sha512-q2FW0fkIuaEG8XumOxw1M1z/HrXEXjowSV9E4/IOh0oUeHX9frv0dMiwD5dbgqKkOKuePxLEIAQ91vkAEn1eGw=="
}
}
],
"evidence_files": [
{
"path": "recon.js",
"sha256": "3dd1f7827fe311d17f442e0af0fab46f3f1a938bb3409838536795fb1aa0f740",
"tlsh": "e481c9f046f1623815622784541f1012917bf297f2a6bbf4b6dc023a0faa96045f6fef"
},
{
"path": "package.json",
"sha256": "390f4d247cca0b5d05f695400cb225143d700058295287dc587f0a38d788ddc7",
"tlsh": "3fd0a7341d31fb2335cd1a974832d80526b11d5e2100960803c711a941ee2b664ff229"
}
]
}