registry  /  @public-for-cdao/token  /  99.99.99

@public-for-cdao/token@99.99.99

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10603 confirms this npm version as malicious. Package `@public-for-cdao/token@99.99.99` is a dependency-confusion payload targeting an internal `@cdao/token` scope. `package.json` declares a `postinstall` hook that runs `node recon.js`, which on `npm install` collects host identity (`os.hostname()`, username, platform, cwd), iterates a large list of CI/CD and cloud credential environment variables (including `AWS_SECRET_ACCESS_KEY`, `NPM_TOKEN`, `GITLAB_*`...

Advisory
MAL-2026-10603
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @public-for-cdao/token (npm)
Details
Package `@public-for-cdao/token@99.99.99` is a dependency-confusion payload targeting an internal `@cdao/token` scope. `package.json` declares a `postinstall` hook that runs `node recon.js`, which on `npm install` collects host identity (`os.hostname()`, username, platform, cwd), iterates a large list of CI/CD and cloud credential environment variables (including `AWS_SECRET_ACCESS_KEY`, `NPM_TOKEN`, `GITLAB_*` tokens, `PRIVATE_KEY`, `MNEMONIC`, `DB_PASSWORD`), reads `.env*` files at multiple paths and greps for KEY/SECRET/TOKEN/PASS/PRIVATE/MNEMONIC lines, and enumerates GitLab-runner build directories under `/builds/`, `/home/gitlab-runner/builds/`, and `/var/lib/gitlab-runner/`. The collected data is JSON-serialized and POSTed over HTTPS with `rejectUnauthorized:false` to two attacker-controlled endpoints: `webhook.site/d6d18927-e513-4df7-b019-58bfc64fe0dd` and `enqoojbegdvxj.x.pipedream.net`. The version `99.99.99` and mismatched public scope are consistent with attempting to preempt resolution of an internal package of the same base name.
Decision reason
OpenSSF Malicious Packages via OSV confirms @public-for-cdao/token@99.99.99 as malicious (MAL-2026-10603): Malicious code in @public-for-cdao/token (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory