MAL-2026-5381
Malicious code in @doaction/systeminformation (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (b381d060615d56335f99fa3fabf87b79bea5769df31e58a0420b2e614a032783) Package `@doaction/systeminformation` published at version 99.99.99 has a name closely matching the widely-used `systeminformation` npm package and a version number consistent with a dependency-confusion bait shape. Its `preinstall` and `postinstall` scripts both `require('@doaction/shared/bin/preinstall.js')`, delegating install-time behavior to a sibling package whose contents are not shipped in this tarball. The library's documented API (`reportSystemEnv` in `src/index.js`) collects host identifiers (`hostname`, `os.*`) and an `envData` object and routes them through `sendToDatadog(...)` from `@doaction/shared` with a hardcoded service tag `doaction-systeminformation`; callers cannot redirect to their own backend without bypassing this path. The destination is Datadog (a legitimate observability vendor) rather than anonymous attacker infrastructure, and the @doaction scope suggests an internal/organizational package rather than a public-attack lure ("for internal testing" per README). The actual install-time payload bytes live in `@doaction/shared` and were not inspected here. Routing to human review to confirm whether @doaction is a legitimate organizational scope, whether `@doaction/shared` contains harmful install-time behavior, and whether the name collision with `systeminformation` is intentional squatting or an internal-namespace mistake.
## Source: ghsa-malware (7b38f4bf62236284837f0d0742f0bd12aa7cc5c0a41163713d287c7551bd1fea) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
0 No fixed version published yet for @doaction/systeminformation (npm). Pin to a known-safe version or switch to an alternative.