MAL-2026-5369

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@doaction/auth/MAL-2026-5369.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5369

Aliases

GHSA-5cwj-c46v-mpmf

Published

2026-06-09T14:17:41Z

Modified

2026-06-09T18:01:35.350417321Z

Summary

Malicious code in @doaction/auth (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f96ec00bc5ed7192c8483a1b27f2212ce64e5a86f1dc309b66d14ea969de00fb)

@doaction/auth@99.99.99 is shaped as a public-registry shadow of a private internal package: scoped name pattern, inflated 99.99.99 version, and a self-described 'environment telemetry for internal testing' purpose. Its preinstall hook (package.json declares "preinstall": "node scripts/postinstall.js") runs scripts/postinstall.js, which unconditionally require('@doaction/shared/bin/postinstall.js'). The @doaction/shared dependency is pinned to ^99.99.99 — another inflated public-registry artifact — and its contents are not shipped in this tarball, so the actual install-time code is whatever resolves as @doaction/shared from the public registry. Any organization with a private @doaction scope that does not lock its registry resolution will, on npm install, automatically execute attacker-controlled code from the public @doaction/shared. The package's exported reportAuthEnv() additionally forwards a whitelist of AUTH_* environment variables to Datadog via @doaction/shared, expanding the scope of data the unseen dependency can collect at runtime. The combination of the inflated version, the scoped-name shadowing pattern, the preinstall delegation to an unshipped same-author dependency, and the env-forwarding API is the canonical dependency-confusion attack shape.

Source: ghsa-malware (4f5cb209773d28630723ae7434596493f0829f1a14a765ba0b66f1f689a10e3a)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-06-09T15:22:39.84032744Z",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "SEMVER"
                }
            ],
            "sha256": "4f5cb209773d28630723ae7434596493f0829f1a14a765ba0b66f1f689a10e3a",
            "id": "GHSA-5cwj-c46v-mpmf",
            "source": "ghsa-malware",
            "modified_time": "2026-06-09T14:17:42Z"
        },
        {
            "import_time": "2026-06-09T17:45:47.728343131Z",
            "versions": [
                "99.99.99"
            ],
            "sha256": "315373bdc7d680635b763119fdedc6245f623aba4d3423f8f1447f057ea75c90",
            "id": "IN-MAL-2026-004996",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:14:56Z"
        },
        {
            "modified_time": "2026-06-09T17:14:56Z",
            "versions": [
                "99.99.99"
            ],
            "sha256": "f96ec00bc5ed7192c8483a1b27f2212ce64e5a86f1dc309b66d14ea969de00fb",
            "id": "IN-MAL-2026-004995",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T17:45:47.654589514Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @doaction/auth

Package

Name: @doaction/auth; View open source insights on deps.dev
Purl: pkg:npm/%40doaction%2Fauth

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

99.*

99.99.99

Database specific

indicators

{
    "domains": [
        "e1gjv2ne5a.execute-api.ap-northeast-1.amazonaws.com"
    ],
    "evidence_files": [
        {
            "sha256": "ef506116b05b6500c6e661562c8fa083b0e60bf6d0c92c81456e6e2a9d48e275",
            "tlsh": "5ed0226d3b8df77cbce045ba2a83234672a181280330faa8b886031383240487a1f4e2",
            "path": "scripts/postinstall.js"
        },
        {
            "sha256": "e66c9daab916ee235bdfc0b6cbf79f14526a26e576aa5538f4ded25331e3dbc3",
            "tlsh": "3f11b56315a43719b89b14d05e4fc192b531c1573e8934e830df57d06f8c4f855b1d94",
            "path": "src/index.js"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@doaction/auth/MAL-2026-5369.json"