registry  /  @doaction/systeminformation  /  9.9.9

@doaction/systeminformation@9.9.9

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-5381 confirms this npm version as malicious. Package `@doaction/systeminformation` published at version 99.99.99 has a name closely matching the widely-used `systeminformation` npm package and a version number consistent with a dependency-confusion bait shape. Its `preinstall` and `postinstall` scripts both `require('@doaction/shared/bin/preinstall.js')`, delegating install-time behavior to a sibling package whose contents are not shipped in this tarball...

Advisory
MAL-2026-5381
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @doaction/systeminformation (npm)
Details
Package `@doaction/systeminformation` published at version 99.99.99 has a name closely matching the widely-used `systeminformation` npm package and a version number consistent with a dependency-confusion bait shape. Its `preinstall` and `postinstall` scripts both `require('@doaction/shared/bin/preinstall.js')`, delegating install-time behavior to a sibling package whose contents are not shipped in this tarball. The library's documented API (`reportSystemEnv` in `src/index.js`) collects host identifiers (`hostname`, `os.*`) and an `envData` object and routes them through `sendToDatadog(...)` from `@doaction/shared` with a hardcoded service tag `doaction-systeminformation`; callers cannot redirect to their own backend without bypassing this path. The destination is Datadog (a legitimate observability vendor) rather than anonymous attacker infrastructure, and the @doaction scope suggests an internal/organizational package rather than a public-attack lure ("for internal testing" per README). The actual install-time payload bytes live in `@doaction/shared` and were not inspected here. Routing to human review to confirm whether @doaction is a legitimate organizational scope, whether `@doaction/shared` contains harmful install-time behavior, and whether the name collision with `systeminformation` is intentional squatting or an internal-namespace mistake. ## Source: ghsa-malware (7b38f4bf62236284837f0d0742f0bd12aa7cc5c0a41163713d287c7551bd1fea) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms @doaction/systeminformation@9.9.9 as malicious (MAL-2026-5381): Malicious code in @doaction/systeminformation (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory
@doaction/systeminformation@9.9.9: Malicious npm security report | LPM Firewall