npm

@public-for-cdao/token @99.99.99

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC

Malicious

OSV ID

MAL-2026-10603

Ecosystem

npm

Summary

Package @public-for-cdao/token@99.99.99 is a dependency-confusion payload targeting an internal @cdao/token scope. package.json declares a postinstall hook that runs node recon.js , which on npm install collects host identity ( os.hostname() , username, platform, cwd), iterates a large list of CI/CD and cloud credential environment variables (including AWS_SECRET_ACCESS_KEY , NPM_TOKEN , GITLAB_* tokens, PRIVATE_KEY , MNEMONIC , DB_PASSWORD ), reads .env* files at multiple paths and greps for KEY/SECRET/TOKEN/PASS/PRIVATE/MNEMONIC lines, and enumerates GitLab-runner build directories under /builds/ , /home/gitlab-runner/builds/ , and /var/lib/gitlab-runner/ . The collected data is JSON-serialized and POSTed over HTTPS with rejectUnauthorized:false to two attacker-controlled endpoints: webhook.site/d6d18927-e513-4df7-b019-58bfc64fe0dd and enqoojbegdvxj.x.pipedream.net . The version 99.99.99 and mismatched public scope are consistent with attempting to preempt resolution of an internal package of the same base name.

Source: amazon-inspector (eb59d96acba76c5d5e2044eae3d7dfeb33bc19f10d75aa04fcf6765ad9b7fde8)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.