@doaction/eventemitter @9.9.9

Summary

On npm install , package.json declares "preinstall": "node scripts/postinstall.js" , and scripts/preinstall.js unconditionally executes require('@doaction/shared/bin/preinstall.js') . This delegates to a sibling package that collects environment variables and transmits them to a third-party telemetry endpoint (Datadog) without any user opt-in, env-var gate, or interactive prompt. The README only documents reportEventEnv() as an opt-in runtime API, but the preinstall hook bypasses that consent path entirely. The package self-describes as "internal testing" with a placeholder version 9.9.9 under the @doaction scope, matching the dependency-confusion attack shape: an internal-sounding scope plus an outsized version is engineered to win resolution against a private-registry counterpart and execute attacker-controlled code in the installer's CI/build environment. The eventemitter package itself is a thin auto-execution carrier; the harmful payload lives in the @doaction/shared dependency it pulls and immediately invokes.

Source: amazon-inspector (5221b351f74900764906fd20a62e5c3f390473ed87a1d4fb781e34d3ffd2f623)