MAL-2026-5379

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@doaction/storage/MAL-2026-5379.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5379

Aliases

GHSA-v89r-6g3x-gjjv

Published

2026-06-09T14:17:42Z

Modified

2026-06-09T19:01:30.812002420Z

Summary

Malicious code in @doaction/storage (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e2555ac1fb49d2dac0108e398a6acffa2bffa1a86326db5fa384ed1232fdab89)

Package @doaction/storage@99.99.99 is shaped as a dependency-confusion attack against the private-looking @doaction scope. The 99.99.99 sentinel version is the canonical pattern used to outrank any legitimate internal version when an installer's resolver reaches the public npm registry. On npm install, the preinstall hook (node scripts/postinstall.js) auto-executes and require()s @doaction/shared/bin/postinstall.js, which is pulled as a ^99.99.99 dependency. The package's stated purpose and exports (collectEnv, sendToDatadog, reportEnvToDatadog in src/index.js) advertise harvesting environment variables and shipping them to a Datadog intake. Because the actual collection and transmission code lives in the sibling @doaction/shared package and not in this tarball, the data set being exfiltrated cannot be audited against any README whitelist — installers have no way to know which env vars (potentially including credentials, tokens, CI secrets) actually leave the host. The combination of private-scope squat + sentinel version + auto-executing preinstall + env-var collection delegated to an opaque sibling is a textbook dependency-confusion exfiltration probe.

Source: ghsa-malware (620b6a45fe33b78bdac831d940680e63c043ec99c93a5ab26f228c1caf4758c0)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific

{
    "malicious-packages-origins": [
        {
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "id": "GHSA-v89r-6g3x-gjjv",
            "import_time": "2026-06-09T15:22:39.852805397Z",
            "sha256": "620b6a45fe33b78bdac831d940680e63c043ec99c93a5ab26f228c1caf4758c0",
            "source": "ghsa-malware",
            "modified_time": "2026-06-09T14:17:43Z"
        },
        {
            "id": "IN-MAL-2026-004994",
            "import_time": "2026-06-09T17:45:47.328697961Z",
            "sha256": "bed271cae290d3f21650c07889e7b47c06995105ec413362489c99a060909b79",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:14:51Z",
            "versions": [
                "99.99.99"
            ]
        },
        {
            "id": "IN-MAL-2026-004993",
            "import_time": "2026-06-09T17:45:47.252049216Z",
            "sha256": "e2555ac1fb49d2dac0108e398a6acffa2bffa1a86326db5fa384ed1232fdab89",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:14:50Z",
            "versions": [
                "99.99.99"
            ]
        },
        {
            "id": "IN-MAL-2026-005178",
            "versions": [
                "9.9.9"
            ],
            "sha256": "b84322c9b2e0700d89d3bccabf437e2c51739968be6a8a66f65dad5252a21ca8",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T18:16:33Z",
            "import_time": "2026-06-09T18:50:22.876767748Z"
        },
        {
            "id": "IN-MAL-2026-005177",
            "versions": [
                "9.9.9"
            ],
            "sha256": "c160df854e9a1c424d1e3d8808345a00336ae58ecabba9bd9c1f0c6d83b88979",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T18:16:33Z",
            "import_time": "2026-06-09T18:50:22.635229143Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @doaction/storage

Package

Name: @doaction/storage; View open source insights on deps.dev
Purl: pkg:npm/%40doaction%2Fstorage

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.9.9

99.*

99.99.99

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "scripts/postinstall.js",
            "sha256": "394d3ad882e949a7ce57d16bd5a4467548fca5639a40d811fee857cec70c7382",
            "tlsh": "29d0224d7a8db7bc3ce0463e2943230a727181340320f2b8789b035687282446a2f4e1"
        },
        {
            "path": "package.json",
            "sha256": "9e4974e897a00e39551522a2d404fcd7850755dc0042d68ee020ec7cfe8869cb",
            "tlsh": "72f09e307b1246331dc052626c36501372b04f6f5144b9082adf11198b1c27f61ff11d"
        }
    ],
    "domains": [
        "e1gjv2ne5a.execute-api.ap-northeast-1.amazonaws.com"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@doaction/storage/MAL-2026-5379.json"