MAL-2026-5381

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@doaction/systeminformation/MAL-2026-5381.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5381
Aliases
  • GHSA-xj3m-q8rc-3f5j
Published
2026-06-09T14:17:42Z
Modified
2026-07-08T17:16:50.257185709Z
Summary
Malicious code in @doaction/systeminformation (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b381d060615d56335f99fa3fabf87b79bea5769df31e58a0420b2e614a032783)

Package @doaction/systeminformation published at version 99.99.99 has a name closely matching the widely-used systeminformation npm package and a version number consistent with a dependency-confusion bait shape. Its preinstall and postinstall scripts both require('@doaction/shared/bin/preinstall.js'), delegating install-time behavior to a sibling package whose contents are not shipped in this tarball. The library's documented API (reportSystemEnv in src/index.js) collects host identifiers (hostname, os.*) and an envData object and routes them through sendToDatadog(...) from @doaction/shared with a hardcoded service tag doaction-systeminformation; callers cannot redirect to their own backend without bypassing this path. The destination is Datadog (a legitimate observability vendor) rather than anonymous attacker infrastructure, and the @doaction scope suggests an internal/organizational package rather than a public-attack lure ("for internal testing" per README). The actual install-time payload bytes live in @doaction/shared and were not inspected here. Routing to human review to confirm whether @doaction is a legitimate organizational scope, whether @doaction/shared contains harmful install-time behavior, and whether the name collision with systeminformation is intentional squatting or an internal-namespace mistake.

Source: ghsa-malware (7b38f4bf62236284837f0d0742f0bd12aa7cc5c0a41163713d287c7551bd1fea)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "7b38f4bf62236284837f0d0742f0bd12aa7cc5c0a41163713d287c7551bd1fea",
            "id": "GHSA-xj3m-q8rc-3f5j",
            "import_time": "2026-06-09T15:22:39.856711545Z",
            "modified_time": "2026-06-09T14:17:43Z",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "source": "ghsa-malware"
        },
        {
            "versions": [
                "9.9.9"
            ],
            "id": "IN-MAL-2026-005171",
            "import_time": "2026-06-09T18:50:22.027734715Z",
            "modified_time": "2026-06-09T18:16:13Z",
            "sha256": "4d2fd59d1828036e5c2cc49573fe68220054d50c3d41e0782735809a4c05ac45",
            "source": "amazon-inspector"
        },
        {
            "sha256": "f93d6bb944e989ce27814352bb53d38fc6e14234e4bb185921fc9c49b022c4c7",
            "id": "IN-MAL-2026-005172",
            "import_time": "2026-06-09T18:50:22.114874015Z",
            "modified_time": "2026-06-09T18:16:14Z",
            "versions": [
                "9.9.9"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "99.99.99"
            ],
            "id": "IN-MAL-2026-008109",
            "modified_time": "2026-07-08T16:26:11Z",
            "import_time": "2026-07-08T17:01:31.248068945Z",
            "sha256": "b381d060615d56335f99fa3fabf87b79bea5769df31e58a0420b2e614a032783",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @doaction/systeminformation

Package

Name
@doaction/systeminformation
View open source insights on deps.dev
Purl
pkg:npm/%40doaction/systeminformation

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

9.*
9.9.9
99.*
99.99.99

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "ec46fe9d1dc62fc47757b3a1c82bff2b2eceea8d2679df07f6f6dab9df2bf664",
            "tlsh": "1df02420ab129a3719c167a25c37811267b08b2f1044b90c2ecb1118830daba62bb32d",
            "path": "package.json"
        },
        {
            "sha256": "992cfad515426f7b2f24a7b9f75bc53a2dd67a05ccedc26c59629ffc16d5cd76",
            "tlsh": "5ad0a7897a49a7bc3ca1452a15831206767141241220b1a87c9603528314144672b4a1",
            "path": "scripts/postinstall.js"
        },
        {
            "sha256": "ad259e619b1d85087086d53b7543463126b235f757a610509df8d880de79e6c8",
            "tlsh": "4531ace226a4a755359734d4884bc1526730e2633e4ab4ed3ccf53d09f9d8a863f3e68",
            "path": "src/index.js"
        }
    ],
    "domains": [
        "e1gjv2ne5a.execute-api.ap-northeast-1.amazonaws.com"
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@doaction/systeminformation/MAL-2026-5381.json"