npm

@doaction/eventemitter @99.99.99

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 8:23 PM UTC

Malicious

OSV ID

MAL-2026-5370

Ecosystem

npm

Summary

The package is a thin shim. package.json declares preinstall: node scripts/postinstall.js , which require()s @doaction/shared/bin/preinstall.js — meaning the install-time behavior is sourced from a sibling package that is not present in this tarball. src/index.js re-exports collectEnv , sendToDatadog , and reportEnvToDatadog from @doaction/shared and offers a reportEventEnv helper that posts an EVENT_* env subset to Datadog using a caller-supplied API key (gated on explicit user invocation, not a silent relay in this package itself). Several attributes are characteristic of dependency-confusion staging: a 99.99.99 version (well above any plausible real release), an 'internal testing' description, and a scope (@doaction) that may shadow an internal namespace. The actual install-time impact depends entirely on @doaction/shared's implementation of collectEnv and the preinstall script, which cannot be confirmed from this tarball alone. Routing for human review to confirm whether @doaction/shared is attacker-controlled (dependency-confusion attack) and to assess the env-collection behavior it actually performs at install time.

Source: amazon-inspector (865100529f6c19b1eff05a47c96abd2d4eb5dba0d4fc0af838c307c816072a20)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.