npm

@public-for-cdao/api @99.99.99

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC

Malicious

OSV ID

MAL-2026-10600

Ecosystem

npm

Summary

@public-for-cdao/api@99.99.99 is a high-version public squat of a presumed private @cdao/api scope (index.js exports name '@cdao/api'; package description 'CryptoDAO api module - internal use'). package.json declares a postinstall script that runs recon.js on npm install . recon.js enumerates a curated list of ~30 CI/CD, cloud, wallet, and registry secret environment variables (including AWS_SECRET_ACCESS_KEY, CI_JOB_TOKEN, NPM_TOKEN, GITLAB_ACCESS_TOKEN, DOCKER_PASSWORD, PRIVATE_KEY, MNEMONIC), scans multiple.env file paths for lines matching KEY/SECRET/TOKEN/PASS/PRIVATE/MNEMONIC, collects host identifiers (hostname, OS, arch, username, cwd) and directory listings of /builds/, /home/gitlab-runner/builds/, /tmp/, and /var/lib/gitlab-runner/, and HTTPS-POSTs the aggregated payload with rejectUnauthorized:false to two hardcoded exfiltration endpoints: https://webhook.site/d6d18927-e513-4df7-b019-58bfc64fe0dd and https://enqoojbegdvxj.x.pipedream.net. The recon.js header comment self-labels the file as 'CryptoDAO Dependency Confusion Reconnaissance Payload'.

Source: amazon-inspector (4d844c4af5615aa5e7eb8470e79d2e95b841e91a8a23df81bafdb56f656b0111)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.