npm · Malicious package advisory
Malwarecryptodao-deploy
MAL-2026-5968
Malicious code in cryptodao-deploy (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (5323b2fc30e7603b402729f45345a9c3eb4af8361acaca5d035cc51f9e660cea) package.json declares `postinstall: node recon.js`, which fires automatically on `npm install`. recon.js enumerates installer-side secrets — AWS_SECRET_ACCESS_KEY, NPM_TOKEN, GITLAB_ACCESS_TOKEN, SSH_PRIVATE_KEY, DB_PASSWORD, MNEMONIC and similar credential-shaped environment variables — reads `.env` files at multiple paths, and lists CI runner directories such as `/builds/` and `/home/gitlab-runner/`. It also collects host/identity reconnaissance (hostname, platform, user, cwd, CI_PROJECT_PATH, CI_JOB_ID, CI_REGISTRY_USER/PASSWORD). The collected data is JSON-serialized and POSTed via `https.request` with `rejectUnauthorized:false` to webhook.site/d6d18927-e513-4df7-b019-58bfc64fe0dd and enqoojbegdvxj.x.pipedream.net. The package is named `cryptodao-deploy` and published at version 99.99.99 with an in-source comment 'CryptoDAO Dependency Confusion Reconnaissance Payload', indicating intent to override an internal private package via dependency-confusion resolution and run the exfil payload inside the victim's CI. ## Source: ossf-package-analysis (2611f17b04a754eafe632f845f449c6bd036c048ac8b1c31295491524ccaecaa) The OpenSSF Package Analysis project identified 'cryptodao-deploy' @ 99.99.99 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
Compromised versions (1)
- 99.99.99
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.