MAL-2026-5370

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@doaction/eventemitter/MAL-2026-5370.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5370
Aliases
  • GHSA-926j-qqmq-889c
Published
2026-06-09T14:17:41Z
Modified
2026-07-08T17:16:49.375330589Z
Summary
Malicious code in @doaction/eventemitter (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (865100529f6c19b1eff05a47c96abd2d4eb5dba0d4fc0af838c307c816072a20)

The package is a thin shim. package.json declares preinstall: node scripts/postinstall.js, which require()s @doaction/shared/bin/preinstall.js — meaning the install-time behavior is sourced from a sibling package that is not present in this tarball. src/index.js re-exports collectEnv, sendToDatadog, and reportEnvToDatadog from @doaction/shared and offers a reportEventEnv helper that posts an EVENT_* env subset to Datadog using a caller-supplied API key (gated on explicit user invocation, not a silent relay in this package itself). Several attributes are characteristic of dependency-confusion staging: a 99.99.99 version (well above any plausible real release), an 'internal testing' description, and a scope (@doaction) that may shadow an internal namespace. The actual install-time impact depends entirely on @doaction/shared's implementation of collectEnv and the preinstall script, which cannot be confirmed from this tarball alone. Routing for human review to confirm whether @doaction/shared is attacker-controlled (dependency-confusion attack) and to assess the env-collection behavior it actually performs at install time.

Source: ghsa-malware (2cfab693f8195c9b7d400aa6bcc6db510b89cd4920bdb622cc06b369a4ed226f)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "2cfab693f8195c9b7d400aa6bcc6db510b89cd4920bdb622cc06b369a4ed226f",
            "id": "GHSA-926j-qqmq-889c",
            "modified_time": "2026-06-09T14:17:42Z",
            "import_time": "2026-06-09T15:22:39.844003335Z",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "source": "ghsa-malware"
        },
        {
            "versions": [
                "9.9.9"
            ],
            "id": "IN-MAL-2026-005193",
            "modified_time": "2026-06-09T20:19:14Z",
            "sha256": "356613a140f3268f2633d292a37370ac2324af412bd3dbf6be2603f426db80cf",
            "import_time": "2026-06-09T20:45:51.283247078Z",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "9.9.9"
            ],
            "id": "IN-MAL-2026-005192",
            "import_time": "2026-06-09T20:45:51.049323193Z",
            "sha256": "5221b351f74900764906fd20a62e5c3f390473ed87a1d4fb781e34d3ffd2f623",
            "modified_time": "2026-06-09T20:19:14Z",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "99.99.99"
            ],
            "id": "IN-MAL-2026-008110",
            "modified_time": "2026-07-08T16:26:19Z",
            "sha256": "865100529f6c19b1eff05a47c96abd2d4eb5dba0d4fc0af838c307c816072a20",
            "import_time": "2026-07-08T17:01:31.332557684Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @doaction/eventemitter

Package

Name
@doaction/eventemitter
View open source insights on deps.dev
Purl
pkg:npm/%40doaction/eventemitter

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

9.*
9.9.9
99.*
99.99.99

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "0b25bcd00b225a3623f30b69b974d451557e06dc9cd2a037c028fbfe9b139f02",
            "tlsh": "4ce0237831e8b03c7cb919b52207034133a5901805387984b8ce07228aaf080663b983",
            "path": "scripts/preinstall.js"
        }
    ],
    "domains": [
        "e1gjv2ne5a.execute-api.ap-northeast-1.amazonaws.com"
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@doaction/eventemitter/MAL-2026-5370.json"