@doaction/systeminformation @99.99.99
Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC
OSV ID
MAL-2026-5381
Ecosystem
npm
Summary
Package @doaction/systeminformation published at version 99.99.99 has a name closely matching the widely-used systeminformation npm package and a version number consistent with a dependency-confusion bait shape. Its preinstall and postinstall scripts both require('@doaction/shared/bin/preinstall.js') , delegating install-time behavior to a sibling package whose contents are not shipped in this tarball. The library's documented API ( reportSystemEnv in src/index.js ) collects host identifiers ( hostname , os.* ) and an envData object and routes them through sendToDatadog(...) from @doaction/shared with a hardcoded service tag doaction-systeminformation ; callers cannot redirect to their own backend without bypassing this path. The destination is Datadog (a legitimate observability vendor) rather than anonymous attacker infrastructure, and the @doaction scope suggests an internal/organizational package rather than a public-attack lure ("for internal testing" per README). The actual install-time payload bytes live in @doaction/shared and were not inspected here. Routing to human review to confirm whether @doaction is a legitimate organizational scope, whether @doaction/shared contains harmful install-time behavior, and whether the name collision with systeminformation is intentional squatting or an internal-namespace mistake.
Source: amazon-inspector (b381d060615d56335f99fa3fabf87b79bea5769df31e58a0420b2e614a032783)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.