npm

@doaction/sudo-prompt @99.99.99

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 8:23 PM UTC

Malicious

OSV ID

MAL-2026-5380

Ecosystem

npm

Summary

Package name @doaction/sudo-prompt mimics the widely-used sudo-prompt npm package and is published at version 99.99.99. package.json declares a preinstall script ( node scripts/postinstall.js ) which require() s @doaction/shared/bin/preinstall.js from the sibling @doaction/shared dependency. The package's main module re-exports collectEnv , sendToDatadog , and reportEnvToDatadog from @doaction/shared , and its advertised reportSudoEnv function (src/index.js:21) calls reportEnvToDatadog with a SUDO_WHITELIST of environment variables, forwarding them to Datadog using a caller-supplied API key. Concerns: (a) the name is a close variant of a popular package, increasing the risk of mistaken installation; (b) on npm install , a preinstall hook delegates to a sibling package whose stated purpose is environment-variable collection and external transmission — the actual network behavior lives in the dependency and was not directly traced here; (c) the public API silently directs caller environment data to a fixed third-party service (Datadog), with only the account/key configurable. Routing to human review to assess name-confusion intent and verify the behavior of @doaction/shared at install time before publishing a final verdict.

Source: amazon-inspector (1083bbecb5bbb6de74ff391c8e0516c1041b464d728ff90b3727d78b7cd19e91)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.