MAL-2026-5978
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cryptodao-utils/MAL-2026-5978.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5978
- Published
- 2026-06-17T03:53:13Z
- Modified
- 2026-06-17T06:02:03.254409960Z
- Summary
- Malicious code in cryptodao-utils (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (97e08a5a6fa93f0080d53371f566846f4258ed5e50479f43b9fc10c7a9716410)
package.json declares
postinstall: node recon.js, which runs automatically on everynpm install. recon.js harvests host information and a curated list of credential-bearing environment variables (AWSSECRETACCESSKEY, NPMTOKEN, GITLABACCESSTOKEN, CIJOBTOKEN, SSHPRIVATEKEY, DBPASSWORD, PRIVATEKEY, MNEMONIC, SEEDPHRASE, DOCKERPASSWORD, and others), grep-reads.env files at common installer paths for KEY/SECRET/TOKEN/PASS/PRIVATE/MNEMONIC lines, and POSTs the collected bundle to two attacker-controlled endpoints:https://webhook.site/d6d18927-e513-4df7-b019-58bfc64fe0ddandhttps://enqoojbegdvxj.x.pipedream.net/. The HTTPS requests are issued withrejectUnauthorized: false, disabling certificate validation so exfiltration succeeds through TLS-intercepting proxies. The package self-identifies in source comments as a 'CryptoDAO Dependency Confusion Reconnaissance Payload' and is published at version 99.99.99 — the canonical shape used to outrank an internalcryptodao-utilspackage during registry resolution. Combined, this is a complete dependency-confusion credential-harvest attack against any installer whose build pipeline resolves the public name.Source: ossf-package-analysis (fb6683ae60f6a98342ecd5399e61fbcbde57eebadc193eaa484d7adde2318bea)
The OpenSSF Package Analysis project identified 'cryptodao-utils' @ 99.99.99 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
- Database specific
{ "malicious-packages-origins": [ { "sha256": "97e08a5a6fa93f0080d53371f566846f4258ed5e50479f43b9fc10c7a9716410", "source": "amazon-inspector", "modified_time": "2026-06-17T04:04:29Z", "versions": [ "99.99.99" ], "id": "IN-MAL-2026-006863", "import_time": "2026-06-17T05:45:41.077244522Z" }, { "sha256": "fb6683ae60f6a98342ecd5399e61fbcbde57eebadc193eaa484d7adde2318bea", "source": "ossf-package-analysis", "modified_time": "2026-06-17T03:53:13Z", "versions": [ "99.99.99" ], "import_time": "2026-06-17T05:45:38.882127481Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- OpenSSF: Package Analysis - FINDER
-
Affected packages
npm / cryptodao-utils
Package
- Name
- cryptodao-utils
- View open source insights on deps.dev
- Purl
- pkg:npm/cryptodao-utils
Database specific
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cryptodao-utils/MAL-2026-5978.json"
indicators
{
"evidence_files": [
{
"sha256": "3dd1f7827fe311d17f442e0af0fab46f3f1a938bb3409838536795fb1aa0f740",
"tlsh": "e481c9f046f1623815622784541f1012917bf297f2a6bbf4b6dc023a0faa96045f6fef",
"path": "recon.js"
},
{
"sha256": "b45d3fd80997a873df55c6332c850ee0c247cdda0e13e8062cb5df9807279081",
"tlsh": "d5d0a7341d32bf2336cd1a976935980526f10d5e110496180387116852ed5f6b4ff219",
"path": "package.json"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-g/iUDwI+F1OE2bk2mNj53EP3FoLTiutYcbgfL72/8mLzE+tYR6onaaQW2mmuXT8uUYENPFvCIKqhRLcdjy1qbA==",
"sha1": "95cc390e3b4f39056aa6d4715b5c93abc917ba3b"
},
"filename": "cryptodao-utils-99.99.99.tgz"
}
]
}