@doaction/auth @99.99.99

Summary

@doaction/auth@99.99.99 is shaped as a public-registry shadow of a private internal package: scoped name pattern, inflated 99.99.99 version, and a self-described 'environment telemetry for internal testing' purpose. Its preinstall hook (package.json declares "preinstall": "node scripts/postinstall.js") runs scripts/postinstall.js, which unconditionally require('@doaction/shared/bin/postinstall.js') . The @doaction/shared dependency is pinned to ^99.99.99 — another inflated public-registry artifact — and its contents are not shipped in this tarball, so the actual install-time code is whatever resolves as @doaction/shared from the public registry. Any organization with a private @doaction scope that does not lock its registry resolution will, on npm install , automatically execute attacker-controlled code from the public @doaction/shared. The package's exported reportAuthEnv() additionally forwards a whitelist of AUTH_* environment variables to Datadog via @doaction/shared, expanding the scope of data the unseen dependency can collect at runtime. The combination of the inflated version, the scoped-name shadowing pattern, the preinstall delegation to an unshipped same-author dependency, and the env-forwarding API is the canonical dependency-confusion attack shape.

Source: amazon-inspector (f96ec00bc5ed7192c8483a1b27f2212ce64e5a86f1dc309b66d14ea969de00fb)