@doaction/types @99.99.99

Summary

@doaction/types@99.99.99 is a dependency-confusion lure targeting an internal @doaction scope. The package.json declares "version": "99.99.99" and pins "@doaction/shared": "^99.99.99" — the canonical version-flooding pattern designed to beat any private-registry copy of the same scoped name. The preinstall lifecycle hook ( "preinstall": "node scripts/postinstall.js" ) runs automatically on npm install and require()s @doaction/shared/bin/preinstall.js ; src/index.js wires reportEnvToDatadog from @doaction/shared , whose declared purpose is to collect environment variables and POST them to Datadog. The installer never opts in. The require() is wrapped in a try/catch that swallows everything except MODULE_NOT_FOUND, suppressing exfil errors in CI logs. The combination — internal-scope name confusion, 99.99.99 version flood, automatic preinstall execution, env-var shipment via a sibling package, and silenced error output — is the textbook dependency-confusion exfiltration shape and produces direct attacker benefit (capture of internal env vars, which routinely include CI tokens, cloud credentials, and registry auth).

Source: amazon-inspector (4092c28082abff16427aa0e246a327796294411786dae585fb4ab3114ad6504f)