OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10602 confirms this npm version as malicious. The package ships a postinstall script (recon.js) that runs at npm install time. It collects host identifiers (hostname, platform, arch, username, cwd), enumerates roughly 30 sensitive environment variables (including AWS_SECRET_ACCESS_KEY, NPM_TOKEN, GITLAB_ACCESS_TOKEN, SSH_PRIVATE_KEY, MNEMONIC, DB_PASSWORD), reads.env files from paths such as.env, /app/.env, /root/.env, and greps for lines matching...
Advisory
MAL-2026-10602
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @public-for-cdao/config (npm)
Details
The package ships a postinstall script (recon.js) that runs at npm install time. It collects host identifiers (hostname, platform, arch, username, cwd), enumerates roughly 30 sensitive environment variables (including AWS_SECRET_ACCESS_KEY, NPM_TOKEN, GITLAB_ACCESS_TOKEN, SSH_PRIVATE_KEY, MNEMONIC, DB_PASSWORD), reads.env files from paths such as.env, /app/.env, /root/.env, and greps for lines matching KEY/SECRET/TOKEN/PASS/PRIVATE/MNEMONIC. It also enumerates CI build directories under /builds/, /home/gitlab-runner/builds/, and /var/lib/gitlab-runner/. The collected data is serialized as JSON and HTTP POSTed via https.request to two attacker-controlled collectors: webhook.site/d6d18927-e513-4df7-b019-58bfc64fe0dd and enqoojbegdvxj.x.pipedream.net. The package name and 99.99.99 version are consistent with a dependency-confusion lure targeting an internal @public-for-cdao/config scope.
Decision reason
OpenSSF Malicious Packages via OSV confirms @public-for-cdao/config@99.99.99 as malicious (MAL-2026-10602): Malicious code in @public-for-cdao/config (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory