MAL-2026-5977
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cryptodao-signer/MAL-2026-5977.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5977
- Published
- 2026-06-17T03:53:07Z
- Modified
- 2026-06-17T06:02:02.886116116Z
- Summary
- Malicious code in cryptodao-signer (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (dce8426b1d9dc5bde6547b58a21f2d3b519e56f7c2f948aa7e2173261532cee7)
On
npm install, the package's postinstall hook executes recon.js, which enumerates a hardcoded list of credential-bearing environment variables (AWSSECRETACCESSKEY, NPMTOKEN, SSHPRIVATEKEY, MNEMONIC, GitLab tokens, DB_PASSWORD, etc.), reads.env files from common project and CI paths grepping for KEY/SECRET/TOKEN/PASS/PRIVATE/MNEMONIC, lists build directories (/builds/, /home/gitlab-runner/builds/, /tmp/, /var/lib/gitlab-runner/), and collects host fingerprint data (hostname, platform, user, cwd). The collected payload is POSTed over HTTPS with TLS verification disabled (rejectUnauthorized: false) to two attacker-controlled collectors: webhook.site/d6d18927-e513-4df7-b019-58bfc64fe0dd and enqoojbegdvxj.x.pipedream.net. The package is published at version 99.99.99 with a self-description of 'CryptoDAO internal' and an in-source comment labeling itself a 'Dependency Confusion Reconnaissance Payload' — the canonical dependency-confusion shape designed to win resolution against a private internal package of the same name. Installer harm is immediate and severe: any CI/CD environment that resolves this package will leak credentials sufficient for cloud account takeover, npm package hijack, source code access, and wallet theft.Source: ossf-package-analysis (adb022e34dd29af7dba5d5a60414faf0392c868d3a670c4f770b6ff873db1249)
The OpenSSF Package Analysis project identified 'cryptodao-signer' @ 99.99.99 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
- Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-006869", "import_time": "2026-06-17T05:45:41.333050296Z", "source": "amazon-inspector", "versions": [ "99.99.99" ], "sha256": "dce8426b1d9dc5bde6547b58a21f2d3b519e56f7c2f948aa7e2173261532cee7", "modified_time": "2026-06-17T04:04:33Z" }, { "import_time": "2026-06-17T05:45:38.800829422Z", "versions": [ "99.99.99" ], "source": "ossf-package-analysis", "modified_time": "2026-06-17T03:53:07Z", "sha256": "adb022e34dd29af7dba5d5a60414faf0392c868d3a670c4f770b6ff873db1249" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- OpenSSF: Package Analysis - FINDER
-
Affected packages
npm / cryptodao-signer
Package
- Name
- cryptodao-signer
- View open source insights on deps.dev
- Purl
- pkg:npm/cryptodao-signer
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cryptodao-signer/MAL-2026-5977.json"
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
indicators
{
"package_integrity": [
{
"filename": "cryptodao-signer-99.99.99.tgz",
"hashes": {
"sha1": "bdca29b5907ef42cdb7b0eb357139d17e17fc254",
"sha512_sri": "sha512-TnzNTkzGB+LS/OsovopW+JcsPwjU0pgb4+/crj+K78JAtKhEky42jWW9UPatsyn5/s7ZrnlKROogvD3Hi2UCYw=="
}
}
],
"evidence_files": [
{
"path": "recon.js",
"sha256": "3dd1f7827fe311d17f442e0af0fab46f3f1a938bb3409838536795fb1aa0f740",
"tlsh": "e481c9f046f1623815622784541f1012917bf297f2a6bbf4b6dc023a0faa96045f6fef"
},
{
"path": "package.json",
"sha256": "e88fab893d9fb4ad7a6484fd89dbee481285dc8fa965c7600013fa53071638aa",
"tlsh": "2bd0a7741d31fb3335ce1a97c83194456eb20d6e2185960403c7116941ed1b765ff21d"
}
]
}