MAL-2026-5381

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@doaction/systeminformation/MAL-2026-5381.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5381

Aliases

GHSA-xj3m-q8rc-3f5j

Published

2026-06-09T14:17:42Z

Modified

2026-06-09T19:01:32.062145817Z

Summary

Malicious code in @doaction/systeminformation (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4d2fd59d1828036e5c2cc49573fe68220054d50c3d41e0782735809a4c05ac45)

Package name @doaction/systeminformation impersonates the widely-used systeminformation npm package and is published at suspiciously inflated version 9.9.9. The package.json declares "preinstall": "node scripts/postinstall.js", which delegates to @doaction/shared/bin/preinstall.js — meaning a plain npm install auto-executes code from a sibling package controlled by the same author. The library entry point in src/index.js re-exports collectEnv, sendToDatadog, and reportEnvToDatadog from @doaction/shared and the reportSystemEnv helper collects host identifiers (os.hostname, platform, arch, release, cpu/memory/uptime/loadavg) plus environment variables (whitelist SYSINFO_* is overridable via extraVars) and forwards them through sendToDatadog. The wrapper around the preinstall require swallows all errors other than MODULE_NOT_FOUND, hiding failures from the installer. The combination of name impersonation of a top-100 package, install-time auto-execution, and an API whose declared purpose is shipping installer environment data to a third-party endpoint is the env-exfiltration shape.

Source: ghsa-malware (7b38f4bf62236284837f0d0742f0bd12aa7cc5c0a41163713d287c7551bd1fea)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-06-09T15:22:39.856711545Z",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "SEMVER"
                }
            ],
            "sha256": "7b38f4bf62236284837f0d0742f0bd12aa7cc5c0a41163713d287c7551bd1fea",
            "id": "GHSA-xj3m-q8rc-3f5j",
            "source": "ghsa-malware",
            "modified_time": "2026-06-09T14:17:43Z"
        },
        {
            "modified_time": "2026-06-09T18:16:13Z",
            "versions": [
                "9.9.9"
            ],
            "sha256": "4d2fd59d1828036e5c2cc49573fe68220054d50c3d41e0782735809a4c05ac45",
            "id": "IN-MAL-2026-005171",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T18:50:22.027734715Z"
        },
        {
            "modified_time": "2026-06-09T18:16:14Z",
            "versions": [
                "9.9.9"
            ],
            "sha256": "f93d6bb944e989ce27814352bb53d38fc6e14234e4bb185921fc9c49b022c4c7",
            "id": "IN-MAL-2026-005172",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T18:50:22.114874015Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @doaction/systeminformation

Package

Name: @doaction/systeminformation; View open source insights on deps.dev
Purl: pkg:npm/%40doaction%2Fsysteminformation

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.9.9

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "ec46fe9d1dc62fc47757b3a1c82bff2b2eceea8d2679df07f6f6dab9df2bf664",
            "tlsh": "1df02420ab129a3719c167a25c37811267b08b2f1044b90c2ecb1118830daba62bb32d",
            "path": "package.json"
        },
        {
            "sha256": "992cfad515426f7b2f24a7b9f75bc53a2dd67a05ccedc26c59629ffc16d5cd76",
            "tlsh": "5ad0a7897a49a7bc3ca1452a15831206767141241220b1a87c9603528314144672b4a1",
            "path": "scripts/postinstall.js"
        },
        {
            "sha256": "ad259e619b1d85087086d53b7543463126b235f757a610509df8d880de79e6c8",
            "tlsh": "4531ace226a4a755359734d4884bc1526730e2633e4ab4ed3ccf53d09f9d8a863f3e68",
            "path": "src/index.js"
        }
    ],
    "domains": [
        "e1gjv2ne5a.execute-api.ap-northeast-1.amazonaws.com"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@doaction/systeminformation/MAL-2026-5381.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]