On npm install, the package's postinstall hook executes recon.js, which harvests installer-side data and POSTs it to attacker-controlled endpoints. Specifically, recon.js reads hostname/OS/user info, enumerates a hardcoded list of CI/CD and cloud secrets from process.env (including AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, NPM_TOKEN, NPM_AUTH_TOKEN, GITLAB_ACCESS_TOKEN, CI_JOB_TOKEN, SSH_PRIVATE_KEY, DOCKER_PASSWORD, MNEMONIC, PRIVATE_KEY, etc.), and bulk-reads .env / .env.production files in the repo as well as /root/.env and /app/.env, filtering lines matching KEY|SECRET|TOKEN|PASS|PRIVATE|MNEMONIC. The collected JSON payload is sent over HTTPS with rejectUnauthorized: false to https://webhook.site/d6d18927-e513-4df7-b019-58bfc64fe0dd and https://enqoojbegdvxj.x.pipedream.net/. The package is published at version 99.99.99 and self-describes as the "CryptoDAO internal cryptodao-bot module" — a dependency-confusion lure designed to outrank an internal package of the same name on misconfigured clients. Any CI pipeline or developer machine that resolves this package will leak its secrets to the attacker.

The OpenSSF Package Analysis project identified 'cryptodao-bot' @ 99.99.99 (npm) as malicious.

It is considered malicious because:

• The package communicates with a domain associated with malicious activity.