registry  /  @public-for-cdao/abi  /  99.99.99

@public-for-cdao/abi@99.99.99

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10599 confirms this npm version as malicious. The package installs a postinstall script (recon.js) that runs automatically on npm install. The script enumerates a hardcoded list of installer environment variables (including AWS_SECRET_ACCESS_KEY, CI_JOB_TOKEN, NPM_TOKEN, MNEMONIC, private-key and database-password names), scans multiple.env file paths for lines matching KEY/SECRET/TOKEN/PASS/MNEMONIC patterns, and collects host identifiers (hostname, platform,...

Advisory
MAL-2026-10599
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @public-for-cdao/abi (npm)
Details
The package installs a postinstall script (recon.js) that runs automatically on npm install. The script enumerates a hardcoded list of installer environment variables (including AWS_SECRET_ACCESS_KEY, CI_JOB_TOKEN, NPM_TOKEN, MNEMONIC, private-key and database-password names), scans multiple.env file paths for lines matching KEY/SECRET/TOKEN/PASS/MNEMONIC patterns, and collects host identifiers (hostname, platform, arch, username, cwd) plus directory listings under /builds/, /home/gitlab-runner/builds/, /tmp/, and /var/lib/gitlab-runner/. The collected JSON payload is written to /tmp/.npm_recon_<ts>.json and POSTed via https.request to two attacker-controlled endpoints: webhook.site and enqoojbegdvxj.x.pipedream.net. The package name `@public-for-cdao/abi` with a 99.99.99 version and an index.js that returns `{name:'@cdao/abi'}` targets a private `@cdao/abi` scope via dependency confusion; a code comment labels the file 'CryptoDAO Dependency Confusion Reconnaissance Payload'.
Decision reason
OpenSSF Malicious Packages via OSV confirms @public-for-cdao/abi@99.99.99 as malicious (MAL-2026-10599): Malicious code in @public-for-cdao/abi (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory