VDB
KO

MAL-2026-10603

Malicious code in @public-for-cdao/token (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (eb59d96acba76c5d5e2044eae3d7dfeb33bc19f10d75aa04fcf6765ad9b7fde8) Package `@public-for-cdao/token@99.99.99` is a dependency-confusion payload targeting an internal `@cdao/token` scope. `package.json` declares a `postinstall` hook that runs `node recon.js`, which on `npm install` collects host identity (`os.hostname()`, username, platform, cwd), iterates a large list of CI/CD and cloud credential environment variables (including `AWS_SECRET_ACCESS_KEY`, `NPM_TOKEN`, `GITLAB_*` tokens, `PRIVATE_KEY`, `MNEMONIC`, `DB_PASSWORD`), reads `.env*` files at multiple paths and greps for KEY/SECRET/TOKEN/PASS/PRIVATE/MNEMONIC lines, and enumerates GitLab-runner build directories under `/builds/`, `/home/gitlab-runner/builds/`, and `/var/lib/gitlab-runner/`. The collected data is JSON-serialized and POSTed over HTTPS with `rejectUnauthorized:false` to two attacker-controlled endpoints: `webhook.site/d6d18927-e513-4df7-b019-58bfc64fe0dd` and `enqoojbegdvxj.x.pipedream.net`. The version `99.99.99` and mismatched public scope are consistent with attempting to preempt resolution of an internal package of the same base name.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @public-for-cdao/token

No fixed version published yet for @public-for-cdao/token (npm). Pin to a known-safe version or switch to an alternative.

References