MAL-2026-5978

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (97e08a5a6fa93f0080d53371f566846f4258ed5e50479f43b9fc10c7a9716410) package.json declares `postinstall: node recon.js`, which runs automatically on every `npm install`. recon.js harvests host information and a curated list of credential-bearing environment variables (AWS_SECRET_ACCESS_KEY, NPM_TOKEN, GITLAB_ACCESS_TOKEN, CI_JOB_TOKEN, SSH_PRIVATE_KEY, DB_PASSWORD, PRIVATE_KEY, MNEMONIC, SEED_PHRASE, DOCKER_PASSWORD, and others), grep-reads.env files at common installer paths for KEY/SECRET/TOKEN/PASS/PRIVATE/MNEMONIC lines, and POSTs the collected bundle to two attacker-controlled endpoints: `https://webhook.site/d6d18927-e513-4df7-b019-58bfc64fe0dd` and `https://enqoojbegdvxj.x.pipedream.net/`. The HTTPS requests are issued with `rejectUnauthorized: false`, disabling certificate validation so exfiltration succeeds through TLS-intercepting proxies. The package self-identifies in source comments as a 'CryptoDAO Dependency Confusion Reconnaissance Payload' and is published at version 99.99.99 — the canonical shape used to outrank an internal `cryptodao-utils` package during registry resolution. Combined, this is a complete dependency-confusion credential-harvest attack against any installer whose build pipeline resolves the public name.

## Source: ossf-package-analysis (fb6683ae60f6a98342ecd5399e61fbcbde57eebadc193eaa484d7adde2318bea) The OpenSSF Package Analysis project identified 'cryptodao-utils' @ 99.99.99 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.