MAL-2026-5968

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (5323b2fc30e7603b402729f45345a9c3eb4af8361acaca5d035cc51f9e660cea) package.json declares `postinstall: node recon.js`, which fires automatically on `npm install`. recon.js enumerates installer-side secrets — AWS_SECRET_ACCESS_KEY, NPM_TOKEN, GITLAB_ACCESS_TOKEN, SSH_PRIVATE_KEY, DB_PASSWORD, MNEMONIC and similar credential-shaped environment variables — reads `.env` files at multiple paths, and lists CI runner directories such as `/builds/` and `/home/gitlab-runner/`. It also collects host/identity reconnaissance (hostname, platform, user, cwd, CI_PROJECT_PATH, CI_JOB_ID, CI_REGISTRY_USER/PASSWORD). The collected data is JSON-serialized and POSTed via `https.request` with `rejectUnauthorized:false` to webhook.site/d6d18927-e513-4df7-b019-58bfc64fe0dd and enqoojbegdvxj.x.pipedream.net. The package is named `cryptodao-deploy` and published at version 99.99.99 with an in-source comment 'CryptoDAO Dependency Confusion Reconnaissance Payload', indicating intent to override an internal private package via dependency-confusion resolution and run the exfil payload inside the victim's CI.

## Source: ossf-package-analysis (2611f17b04a754eafe632f845f449c6bd036c048ac8b1c31295491524ccaecaa) The OpenSSF Package Analysis project identified 'cryptodao-deploy' @ 99.99.99 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.