@doaction/rrweb-sdk @99.99.99

Summary

@doaction/rrweb-sdk@9.9.9 is a dependency-confusion / namespace-impersonation package targeting the rrweb session-recording SDK ecosystem. The package's package.json declares "preinstall": "node scripts/postinstall.js" , and scripts/postinstall.js does require('@doaction/shared/bin/postinstall.js') unconditionally on npm install . The transitive @doaction/shared dependency collects installer-side environment data and POSTs it to a Datadog endpoint (the package self-describes as Datadog environment telemetry, and src/index.js only re-exports collectEnv / sendToDatadog / reportEnvToDatadog — there is no rrweb session-recording code despite the name and keywords). The 9.9.9 version number is a canonical dependency-confusion marker designed to win semver resolution over a legitimately-named internal rrweb-sdk package. The package therefore exfiltrates the installer's environment variables (commonly containing CI tokens, cloud credentials, and internal hostnames) to a third party before the consumer's code ever runs. A second lifecycle script scripts/preinstall.js ships alongside but is not the one wired into the hook, consistent with templated mass-publication across multiple impersonated SDK names.

Source: amazon-inspector (6efd52baa69926a32dbac2a3c5eb53c361935e9a3386d2893bf2d7506ab4dfea)