@public-for-cdao/abi @99.99.99
Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC
OSV ID
MAL-2026-10599
Ecosystem
npm
Summary
The package installs a postinstall script (recon.js) that runs automatically on npm install. The script enumerates a hardcoded list of installer environment variables (including AWS_SECRET_ACCESS_KEY, CI_JOB_TOKEN, NPM_TOKEN, MNEMONIC, private-key and database-password names), scans multiple.env file paths for lines matching KEY/SECRET/TOKEN/PASS/MNEMONIC patterns, and collects host identifiers (hostname, platform, arch, username, cwd) plus directory listings under /builds/, /home/gitlab-runner/builds/, /tmp/, and /var/lib/gitlab-runner/. The collected JSON payload is written to /tmp/.npm_recon_<ts>.json and POSTed via https.request to two attacker-controlled endpoints: webhook.site and enqoojbegdvxj.x.pipedream.net. The package name @public-for-cdao/abi with a 99.99.99 version and an index.js that returns {name:'@cdao/abi'} targets a private @cdao/abi scope via dependency confusion; a code comment labels the file 'CryptoDAO Dependency Confusion Reconnaissance Payload'.
Source: amazon-inspector (102277e30b4f56dba5ebfb6a6a0ba076163907bfd28b2055b7fe6870261071f6)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.