registry  /  @doaction/examples  /  9.9.9

@doaction/examples@9.9.9

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-5372 confirms this npm version as malicious. @doaction/examples@99.99.99 declares `preinstall: node scripts/postinstall.js` in package.json, which requires `@doaction/shared/bin/postinstall.js`. The package self-describes as 'for internal testing' and depends on `@doaction/shared` at `^99.99.99`...

Advisory
MAL-2026-5372
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @doaction/examples (npm)
Details
@doaction/examples@99.99.99 declares `preinstall: node scripts/postinstall.js` in package.json, which requires `@doaction/shared/bin/postinstall.js`. The package self-describes as 'for internal testing' and depends on `@doaction/shared` at `^99.99.99`. On `npm install`, the preinstall hook auto-executes and loads telemetry code from the sibling `@doaction/shared` package, which collects environment variables and transmits them to a remote destination — the installer has no opportunity to consent and no documented opt-out at this stage. The version `99.99.99` combined with `@doaction` scope and 'internal testing' wording is the canonical dependency-confusion override fingerprint: any organization with private `@doaction/*` packages whose installer pulls from public npm instead of an internal registry will resolve and execute this code in place of their internal package. A secondary integrity concern: a separate `scripts/preinstall.js` file exists but is unreferenced, while the actual preinstall hook points at a file named `postinstall.js` — a naming inconsistency that obscures what executes at install time. ## Source: ghsa-malware (44da964c1ac1406847f9192c36e492ae4a8bb056aed718e6b72aee397fff34ac) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms @doaction/examples@9.9.9 as malicious (MAL-2026-5372): Malicious code in @doaction/examples (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory