OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-5380 confirms this npm version as malicious. Package name `@doaction/sudo-prompt` mimics the widely-used `sudo-prompt` npm package and is published at version 99.99.99. `package.json` declares a `preinstall` script (`node scripts/postinstall.js`) which `require()`s `@doaction/shared/bin/preinstall.js` from the sibling `@doaction/shared` dependency...
Advisory
MAL-2026-5380
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @doaction/sudo-prompt (npm)
Details
Package name `@doaction/sudo-prompt` mimics the widely-used `sudo-prompt` npm package and is published at version 99.99.99. `package.json` declares a `preinstall` script (`node scripts/postinstall.js`) which `require()`s `@doaction/shared/bin/preinstall.js` from the sibling `@doaction/shared` dependency. The package's main module re-exports `collectEnv`, `sendToDatadog`, and `reportEnvToDatadog` from `@doaction/shared`, and its advertised `reportSudoEnv` function (src/index.js:21) calls `reportEnvToDatadog` with a `SUDO_WHITELIST` of environment variables, forwarding them to Datadog using a caller-supplied API key. Concerns: (a) the name is a close variant of a popular package, increasing the risk of mistaken installation; (b) on `npm install`, a preinstall hook delegates to a sibling package whose stated purpose is environment-variable collection and external transmission — the actual network behavior lives in the dependency and was not directly traced here; (c) the public API silently directs caller environment data to a fixed third-party service (Datadog), with only the account/key configurable. Routing to human review to assess name-confusion intent and verify the behavior of `@doaction/shared` at install time before publishing a final verdict.
## Source: ghsa-malware (488a945e315d4824a3cc9dbb099b6eb414d12692164cb2c965626725ff64776a) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms @doaction/sudo-prompt@99.99.99 as malicious (MAL-2026-5380): Malicious code in @doaction/sudo-prompt (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory