@doaction/mapstore @99.99.99

Summary

@doaction/mapstore@99.99.99 is published to the public npm registry under a sentinel-high version (99.99.99) with a pinned @doaction/shared: ^99.99.99 dependency — the canonical shape of a dependency-confusion attack designed to be resolved over a private internal @doaction/* package. package.json declares "preinstall": "node scripts/postinstall.js" , which require()s @doaction/shared/bin/postinstall.js ; a sibling preinstall.js wrapper similarly require()s @doaction/shared/bin/preinstall.js . The wrappers self-describe as 'Triggers safe environment telemetry on npm install' and the package's main src/index.js documents the purpose as collecting environment variables and sending them to Datadog. Both wrappers catch and silently swallow non-MODULE_NOT_FOUND errors so the install completes regardless of telemetry success/failure, minimizing installer visibility. The exfiltration runs unconditionally at npm install time with no user opt-in. Installer harm: CI/build environment variables (which routinely include cloud credentials, registry tokens, and CI secrets) are transmitted to a third-party endpoint whenever a build system mistakenly resolves this public package over the intended internal one.

Source: amazon-inspector (9692028d96015eee60ce05d38eac9bf0c6e51dd2153cea37cad4756e3b4b3de9)