MAL-2026-5380
Malicious code in @doaction/sudo-prompt (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (1083bbecb5bbb6de74ff391c8e0516c1041b464d728ff90b3727d78b7cd19e91) Package name `@doaction/sudo-prompt` mimics the widely-used `sudo-prompt` npm package and is published at version 99.99.99. `package.json` declares a `preinstall` script (`node scripts/postinstall.js`) which `require()`s `@doaction/shared/bin/preinstall.js` from the sibling `@doaction/shared` dependency. The package's main module re-exports `collectEnv`, `sendToDatadog`, and `reportEnvToDatadog` from `@doaction/shared`, and its advertised `reportSudoEnv` function (src/index.js:21) calls `reportEnvToDatadog` with a `SUDO_WHITELIST` of environment variables, forwarding them to Datadog using a caller-supplied API key. Concerns: (a) the name is a close variant of a popular package, increasing the risk of mistaken installation; (b) on `npm install`, a preinstall hook delegates to a sibling package whose stated purpose is environment-variable collection and external transmission — the actual network behavior lives in the dependency and was not directly traced here; (c) the public API silently directs caller environment data to a fixed third-party service (Datadog), with only the account/key configurable. Routing to human review to assess name-confusion intent and verify the behavior of `@doaction/shared` at install time before publishing a final verdict.
## Source: ghsa-malware (488a945e315d4824a3cc9dbb099b6eb414d12692164cb2c965626725ff64776a) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 No fixed version published yet for @doaction/sudo-prompt (npm). Pin to a known-safe version or switch to an alternative.