OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-5370 confirms this npm version as malicious. The package is a thin shim. package.json declares `preinstall: node scripts/postinstall.js`, which require()s `@doaction/shared/bin/preinstall.js` — meaning the install-time behavior is sourced from a sibling package that is not present in this tarball. src/index.js re-exports `collectEnv`, `sendToDatadog`, and `reportEnvToDatadog` from @doaction/shared and offers a `reportEventEnv` helper that posts an EVENT_* env...
Advisory
MAL-2026-5370
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @doaction/eventemitter (npm)
Details
The package is a thin shim. package.json declares `preinstall: node scripts/postinstall.js`, which require()s `@doaction/shared/bin/preinstall.js` — meaning the install-time behavior is sourced from a sibling package that is not present in this tarball. src/index.js re-exports `collectEnv`, `sendToDatadog`, and `reportEnvToDatadog` from @doaction/shared and offers a `reportEventEnv` helper that posts an EVENT_* env subset to Datadog using a caller-supplied API key (gated on explicit user invocation, not a silent relay in this package itself). Several attributes are characteristic of dependency-confusion staging: a 99.99.99 version (well above any plausible real release), an 'internal testing' description, and a scope (@doaction) that may shadow an internal namespace. The actual install-time impact depends entirely on @doaction/shared's implementation of `collectEnv` and the preinstall script, which cannot be confirmed from this tarball alone. Routing for human review to confirm whether @doaction/shared is attacker-controlled (dependency-confusion attack) and to assess the env-collection behavior it actually performs at install time.
## Source: ghsa-malware (2cfab693f8195c9b7d400aa6bcc6db510b89cd4920bdb622cc06b369a4ed226f) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms @doaction/eventemitter@9.9.9 as malicious (MAL-2026-5370): Malicious code in @doaction/eventemitter (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory