MAL-2026-5967

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (2b5f3b7ec6eecce3d891664f33660a1c612cdd3c6ac99ba52633ef77a2df543c) On `npm install`, the postinstall hook runs `node recon.js`, which harvests installer-side secrets and POSTs them over HTTPS (with TLS certificate verification disabled) to two attacker-controlled collectors: `webhook.site/d6d18927-e513-4df7-b019-58bfc64fe0dd` and `enqoojbegdvxj.x.pipedream.net`. The payload (recon.js) reads a curated list of high-value environment variables — including `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `CI_JOB_TOKEN`, `CI_REGISTRY_PASSWORD`, `GITLAB_ACCESS_TOKEN`, `SSH_PRIVATE_KEY`, `NPM_TOKEN`, `MNEMONIC`, `PRIVATE_KEY`, `DB_PASSWORD` — reads multiple `.env` files (`./.env`, `/app/.env`, `/home/gitlab-runner/.env`, `/root/.env`) and filters lines matching `/KEY|SECRET|TOKEN|PASS|PRIVATE|MNEMONIC/i`, enumerates GitLab runner build directories (`/builds`, `/home/gitlab-runner/builds/`), and ships the resulting JSON to the two endpoints. The package is published at version `99.99.99` — the canonical dependency-confusion override version — and a comment in recon.js explicitly self-identifies as a 'CryptoDAO Dependency Confusion Reconnaissance Payload', confirming intent to be auto-installed by victim pipelines that maintain an internal `cryptodao-config` package.

## Source: ossf-package-analysis (c9afe812a548e5d3b8158d3e359c37ec874e86c003476c8dc7b9de732113ca86) The OpenSSF Package Analysis project identified 'cryptodao-config' @ 99.99.99 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.