OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10600 confirms this npm version as malicious. @public-for-cdao/api@99.99.99 is a high-version public squat of a presumed private @cdao/api scope (index.js exports name '@cdao/api'; package description 'CryptoDAO api module - internal use'). package.json declares a postinstall script that runs recon.js on `npm install`. recon.js enumerates a curated list of ~30 CI/CD, cloud, wallet, and registry secret environment variables (including AWS_SECRET_ACCESS_KEY,...
Advisory
MAL-2026-10600
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @public-for-cdao/api (npm)
Details
@public-for-cdao/api@99.99.99 is a high-version public squat of a presumed private @cdao/api scope (index.js exports name '@cdao/api'; package description 'CryptoDAO api module - internal use'). package.json declares a postinstall script that runs recon.js on `npm install`. recon.js enumerates a curated list of ~30 CI/CD, cloud, wallet, and registry secret environment variables (including AWS_SECRET_ACCESS_KEY, CI_JOB_TOKEN, NPM_TOKEN, GITLAB_ACCESS_TOKEN, DOCKER_PASSWORD, PRIVATE_KEY, MNEMONIC), scans multiple.env file paths for lines matching KEY/SECRET/TOKEN/PASS/PRIVATE/MNEMONIC, collects host identifiers (hostname, OS, arch, username, cwd) and directory listings of /builds/, /home/gitlab-runner/builds/, /tmp/, and /var/lib/gitlab-runner/, and HTTPS-POSTs the aggregated payload with rejectUnauthorized:false to two hardcoded exfiltration endpoints: https://webhook.site/d6d18927-e513-4df7-b019-58bfc64fe0dd and https://enqoojbegdvxj.x.pipedream.net. The recon.js header comment self-labels the file as 'CryptoDAO Dependency Confusion Reconnaissance Payload'.
Decision reason
OpenSSF Malicious Packages via OSV confirms @public-for-cdao/api@99.99.99 as malicious (MAL-2026-10600): Malicious code in @public-for-cdao/api (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory