@doaction/example @99.99.99
Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC
OSV ID
MAL-2026-5371
Ecosystem
npm
Summary
@doaction/example@99.99.99 is a scoped npm package whose package.json self-describes as 'Example package with Datadog environment telemetry for internal testing' and pins @doaction/shared at ^99.99.99 . On install, scripts/preinstall.js delegates execution to @doaction/shared/bin/preinstall.js via require('@doaction/shared/bin/preinstall.js') . The shared dependency's preinstall code is not present in this tarball and its actual behavior cannot be confirmed from the contents shipped here. The library API reportExampleEnv (src/index.js) is opt-in: callers must explicitly supply a Datadog API key and invoke the function, and the documented whitelist is limited to EXAMPLE_MODE and EXAMPLE_DEBUG . The installer-facing risk depends entirely on what @doaction/shared 's preinstall and collectEnv actually do — those bytes need to be reviewed before a final disposition. The 99.99.99 version pattern combined with the scoped name is also consistent with a dependency-confusion shape against an internal @doaction namespace, which warrants human assessment.
Source: amazon-inspector (9e2df92bb520aefba5bcfa6e3e88b4cbd7da3ea27b121380c17615bcfbab1ade)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.