package.json declares postinstall: node recon.js, which auto-runs on npm install. recon.js (lines 30-46) scrapes a curated list of credential-bearing environment variables including AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, NPM_TOKEN, CI_REGISTRY_PASSWORD, GITLAB_ACCESS_TOKEN, SSH_PRIVATE_KEY, PRIVATE_KEY, MNEMONIC, and DB_PASSWORD. It additionally enumerates and reads.env files at multiple paths outside the package's own scope (.env, ../.env, /app/.env, /home/gitlab-runner/.env, /root/.env), filtering lines matching /KEY|SECRET|TOKEN|PASS|PRIVATE|MNEMONIC/i. The collected JSON payload is POSTed (recon.js:84-87, 99-106) over HTTPS with rejectUnauthorized:false to two attacker-controlled endpoints: https://webhook.site/d6d18927-e513-4df7-b019-58bfc64fe0dd and https://enqoojbegdvxj.x.pipedream.net/. The package self-describes as the "CryptoDAO internal cryptodao-backend module" and is published at version 99.99.99 — the canonical dependency-confusion shape designed to outrank a private internal package of the same name during npm resolution. A source comment in recon.js explicitly labels itself a "Dependency Confusion Reconnaissance Payload."

The OpenSSF Package Analysis project identified 'cryptodao-backend' @ 99.99.99 (npm) as malicious.

It is considered malicious because:

• The package communicates with a domain associated with malicious activity.