MAL-2026-5975

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cryptodao-contracts/MAL-2026-5975.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5975

Published

2026-06-17T04:04:31Z

Modified

2026-06-17T06:02:02.385134502Z

Summary

Malicious code in cryptodao-contracts (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (21c450a1d14c10213b83137f9c0670a9d8ed953105f96d66eedee78a56479d82)

Package is published as version 99.99.99 to win private-vs-public resolution against an internal cryptodao-contracts namespace. The package's main module is a one-line stub; the real payload runs from the postinstall script recon.js. On npm install, recon.js enumerates a hardcoded list of installer-side secret environment variables (AWSSECRETACCESSKEY, SSHPRIVATEKEY, NPMTOKEN, GITLABACCESSTOKEN, MNEMONIC, SEEDPHRASE, PRIVATEKEY, DB_PASSWORD, etc.), reads .env files from installer-owned paths (/root/.env, /app/.env, .env.production), and grep-extracts lines matching KEY|SECRET|TOKEN|PASS|PRIVATE|MNEMONIC. The collected secrets, hostname, user, cwd, and CI build-directory listings are POSTed over HTTPS to two attacker-controlled endpoints, webhook.site/d6d18927-e513-4df7-b019-58bfc64fe0dd and enqoojbegdvxj.x.pipedream.net, with TLS verification disabled (rejectUnauthorized: false). Self-described in source as a 'CryptoDAO Dependency Confusion Reconnaissance Payload'.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006867",
            "import_time": "2026-06-17T05:45:41.242143797Z",
            "source": "amazon-inspector",
            "versions": [
                "99.99.99"
            ],
            "modified_time": "2026-06-17T04:04:31Z",
            "sha256": "21c450a1d14c10213b83137f9c0670a9d8ed953105f96d66eedee78a56479d82"
        }
    ]
}

References

https://www.npmjs.com/package/cryptodao-contracts/v/99.99.99

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / cryptodao-contracts

Package

Name: cryptodao-contracts; View open source insights on deps.dev
Purl: pkg:npm/cryptodao-contracts

Affected ranges

Affected versions

99.*

99.99.99

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cryptodao-contracts/MAL-2026-5975.json"

indicators

{
    "package_integrity": [
        {
            "filename": "cryptodao-contracts-99.99.99.tgz",
            "hashes": {
                "sha1": "df322dcf49638288a3fcfb1f2631145d7d27710c",
                "sha512_sri": "sha512-fJNlzicPayxBTnOhWgJaN5S9h+yhbyj4eY4Dg49sozudHXZeB+TvHkb3L43kEndPRl6nKiKSt9TQdsx+PoP7FA=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "recon.js",
            "sha256": "3dd1f7827fe311d17f442e0af0fab46f3f1a938bb3409838536795fb1aa0f740",
            "tlsh": "e481c9f046f1623815622784541f1012917bf297f2a6bbf4b6dc023a0faa96045f6fef"
        },
        {
            "path": "package.json",
            "sha256": "c6efdcef6c3731ec4440dda561911e831181435169eb5fe5d4f41335cd7f1d9a",
            "tlsh": "60d0a7352d72fb3336cd1ba76835d40526b15e5e5104960903c7216941ed1f664ff359"
        }
    ]
}