MAL-2026-5970

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (39fca1d76ba65e01fbd3319d6752bb0dc896f9cc356676c6bfad3671d8b1e0d9) On `npm install`, the package's postinstall script (recon.js) harvests installer-side secrets and POSTs them to attacker-controlled webhook endpoints. The script collects hostname, username, cwd, and roughly 40 named environment variables including AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, NPM_TOKEN, GITLAB_ACCESS_TOKEN, SSH_PRIVATE_KEY, PRIVATE_KEY, MNEMONIC, SEED_PHRASE, and DB_PASSWORD. It also reads `.env` and `.env.production` files from the current working directory, parent directories, `/`, `/app`, and `/root`, and enumerates `/builds` and gitlab-runner directories. The collected payload is then sent via HTTPS to `webhook.site/d6d18927-e513-4df7-b019-58bfc64fe0dd` and `enqoojbegdvxj.x.pipedream.net` with `rejectUnauthorized: false` to bypass TLS-inspecting corporate proxies. The package name combined with version 99.99.99 and the internal-sounding description is consistent with a dependency-confusion attack targeting an organization's internal CI builds.

## Source: ossf-package-analysis (366efc73a08168b218b200ec6b3eb29daf6e48834e7b53b50bc931b7f90bf91b) The OpenSSF Package Analysis project identified 'cryptodao-types' @ 99.99.99 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.