MAL-2026-10600
Malicious code in @public-for-cdao/api (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (4d844c4af5615aa5e7eb8470e79d2e95b841e91a8a23df81bafdb56f656b0111) @public-for-cdao/api@99.99.99 is a high-version public squat of a presumed private @cdao/api scope (index.js exports name '@cdao/api'; package description 'CryptoDAO api module - internal use'). package.json declares a postinstall script that runs recon.js on `npm install`. recon.js enumerates a curated list of ~30 CI/CD, cloud, wallet, and registry secret environment variables (including AWS_SECRET_ACCESS_KEY, CI_JOB_TOKEN, NPM_TOKEN, GITLAB_ACCESS_TOKEN, DOCKER_PASSWORD, PRIVATE_KEY, MNEMONIC), scans multiple.env file paths for lines matching KEY/SECRET/TOKEN/PASS/PRIVATE/MNEMONIC, collects host identifiers (hostname, OS, arch, username, cwd) and directory listings of /builds/, /home/gitlab-runner/builds/, /tmp/, and /var/lib/gitlab-runner/, and HTTPS-POSTs the aggregated payload with rejectUnauthorized:false to two hardcoded exfiltration endpoints: https://webhook.site/d6d18927-e513-4df7-b019-58bfc64fe0dd and https://enqoojbegdvxj.x.pipedream.net. The recon.js header comment self-labels the file as 'CryptoDAO Dependency Confusion Reconnaissance Payload'.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @public-for-cdao/api (npm). Pin to a known-safe version or switch to an alternative.