VDB
KO

MAL-2026-5370

Malicious code in @doaction/eventemitter (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (865100529f6c19b1eff05a47c96abd2d4eb5dba0d4fc0af838c307c816072a20) The package is a thin shim. package.json declares `preinstall: node scripts/postinstall.js`, which require()s `@doaction/shared/bin/preinstall.js` — meaning the install-time behavior is sourced from a sibling package that is not present in this tarball. src/index.js re-exports `collectEnv`, `sendToDatadog`, and `reportEnvToDatadog` from @doaction/shared and offers a `reportEventEnv` helper that posts an EVENT_* env subset to Datadog using a caller-supplied API key (gated on explicit user invocation, not a silent relay in this package itself). Several attributes are characteristic of dependency-confusion staging: a 99.99.99 version (well above any plausible real release), an 'internal testing' description, and a scope (@doaction) that may shadow an internal namespace. The actual install-time impact depends entirely on @doaction/shared's implementation of `collectEnv` and the preinstall script, which cannot be confirmed from this tarball alone. Routing for human review to confirm whether @doaction/shared is attacker-controlled (dependency-confusion attack) and to assess the env-collection behavior it actually performs at install time.

## Source: ghsa-malware (2cfab693f8195c9b7d400aa6bcc6db510b89cd4920bdb622cc06b369a4ed226f) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @doaction/eventemitter
Introduced in: 0

No fixed version published yet for @doaction/eventemitter (npm). Pin to a known-safe version or switch to an alternative.

References