MAL-2026-5970

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cryptodao-types/MAL-2026-5970.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5970

Published

2026-06-17T03:44:42Z

Modified

2026-06-17T06:02:02.983871723Z

Summary

Malicious code in cryptodao-types (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (39fca1d76ba65e01fbd3319d6752bb0dc896f9cc356676c6bfad3671d8b1e0d9)

On npm install, the package's postinstall script (recon.js) harvests installer-side secrets and POSTs them to attacker-controlled webhook endpoints. The script collects hostname, username, cwd, and roughly 40 named environment variables including AWSACCESSKEYID, AWSSECRETACCESSKEY, NPMTOKEN, GITLABACCESSTOKEN, SSHPRIVATEKEY, PRIVATEKEY, MNEMONIC, SEEDPHRASE, and DBPASSWORD. It also reads .env and .env.production files from the current working directory, parent directories, /, /app, and /root, and enumerates /builds and gitlab-runner directories. The collected payload is then sent via HTTPS to webhook.site/d6d18927-e513-4df7-b019-58bfc64fe0dd and enqoojbegdvxj.x.pipedream.net with rejectUnauthorized: false to bypass TLS-inspecting corporate proxies. The package name combined with version 99.99.99 and the internal-sounding description is consistent with a dependency-confusion attack targeting an organization's internal CI builds.

Source: ossf-package-analysis (366efc73a08168b218b200ec6b3eb29daf6e48834e7b53b50bc931b7f90bf91b)

The OpenSSF Package Analysis project identified 'cryptodao-types' @ 99.99.99 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-06-17T03:48:43.219360269Z",
            "versions": [
                "99.99.99"
            ],
            "source": "ossf-package-analysis",
            "modified_time": "2026-06-17T03:44:42Z",
            "sha256": "366efc73a08168b218b200ec6b3eb29daf6e48834e7b53b50bc931b7f90bf91b"
        },
        {
            "id": "IN-MAL-2026-006865",
            "import_time": "2026-06-17T05:45:41.175035727Z",
            "versions": [
                "99.99.99"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-17T04:04:30Z",
            "sha256": "39fca1d76ba65e01fbd3319d6752bb0dc896f9cc356676c6bfad3671d8b1e0d9"
        }
    ]
}

References

https://www.npmjs.com/package/cryptodao-types/v/99.99.99

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com
- OpenSSF: Package Analysis - FINDER
- - https://github.com/ossf/package-analysis
  - https://openssf.slack.com/channels/package_analysis

Affected packages

npm / cryptodao-types

Package

Name: cryptodao-types; View open source insights on deps.dev
Purl: pkg:npm/cryptodao-types

Affected ranges

Affected versions

99.*

99.99.99

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cryptodao-types/MAL-2026-5970.json"

indicators

{
    "package_integrity": [
        {
            "filename": "cryptodao-types-99.99.99.tgz",
            "hashes": {
                "sha1": "9d2cfef56670557c8ebfdd960f625b4b42caccfb",
                "sha512_sri": "sha512-iicG4qLkpgoZto/fRij4Be3SrVQ4uWw5GlNESTE7cytFub3Vcqavj5r4Dfb19WP5KFXPLpuHpn2DiA30eC2KIA=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "recon.js",
            "sha256": "3dd1f7827fe311d17f442e0af0fab46f3f1a938bb3409838536795fb1aa0f740",
            "tlsh": "e481c9f046f1623815622784541f1012917bf297f2a6bbf4b6dc023a0faa96045f6fef"
        }
    ]
}