VYPR

npm · Malicious package advisory

Malware

cryptodao-types

MAL-2026-5970

Malicious code in cryptodao-types (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (39fca1d76ba65e01fbd3319d6752bb0dc896f9cc356676c6bfad3671d8b1e0d9)
On `npm install`, the package's postinstall script (recon.js) harvests installer-side secrets and POSTs them to attacker-controlled webhook endpoints. The script collects hostname, username, cwd, and roughly 40 named environment variables including AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, NPM_TOKEN, GITLAB_ACCESS_TOKEN, SSH_PRIVATE_KEY, PRIVATE_KEY, MNEMONIC, SEED_PHRASE, and DB_PASSWORD. It also reads `.env` and `.env.production` files from the current working directory, parent directories, `/`, `/app`, and `/root`, and enumerates `/builds` and gitlab-runner directories. The collected payload is then sent via HTTPS to `webhook.site/d6d18927-e513-4df7-b019-58bfc64fe0dd` and `enqoojbegdvxj.x.pipedream.net` with `rejectUnauthorized: false` to bypass TLS-inspecting corporate proxies. The package name combined with version 99.99.99 and the internal-sounding description is consistent with a dependency-confusion attack targeting an organization's internal CI builds.

## Source: ossf-package-analysis (366efc73a08168b218b200ec6b3eb29daf6e48834e7b53b50bc931b7f90bf91b)
The OpenSSF Package Analysis project identified 'cryptodao-types' @ 99.99.99 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

Compromised versions (1)

  • 99.99.99

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.