@doaction/storage @99.99.99

Summary

Package @doaction/storage@99.99.99 is shaped as a dependency-confusion attack against the private-looking @doaction scope. The 99.99.99 sentinel version is the canonical pattern used to outrank any legitimate internal version when an installer's resolver reaches the public npm registry. On npm install , the preinstall hook ( node scripts/postinstall.js ) auto-executes and require()s @doaction/shared/bin/postinstall.js , which is pulled as a ^99.99.99 dependency. The package's stated purpose and exports ( collectEnv , sendToDatadog , reportEnvToDatadog in src/index.js) advertise harvesting environment variables and shipping them to a Datadog intake. Because the actual collection and transmission code lives in the sibling @doaction/shared package and not in this tarball, the data set being exfiltrated cannot be audited against any README whitelist — installers have no way to know which env vars (potentially including credentials, tokens, CI secrets) actually leave the host. The combination of private-scope squat + sentinel version + auto-executing preinstall + env-var collection delegated to an opaque sibling is a textbook dependency-confusion exfiltration probe.

Source: amazon-inspector (e2555ac1fb49d2dac0108e398a6acffa2bffa1a86326db5fa384ed1232fdab89)