@doaction/wasm-loader @99.99.99

Summary

Package name and description advertise a 'WASM loader,' but the tarball ships no WebAssembly code. Instead, package.json declares "preinstall": "node scripts/postinstall.js" , and scripts/preinstall.js unconditionally require() s @doaction/shared/bin/preinstall.js , which the package self-documents as shipping environment telemetry to a Datadog intake on every npm install . This auto-fires for every installer with no opt-in or disclosure in the README, and the destination is hardcoded outside the installer's control. Additionally, src/index.js exports collectEnv and sendToDatadog as part of the public module surface ( module.exports = { collectEnv, sendToDatadog, reportWasmEnv, WASM_WHITELIST } ), giving any caller a primitive to send arbitrary process.env contents to the same Datadog endpoint, bypassing the advertised WASM_WHITELIST path. The combination of a misleading package identity (wasm loader with no wasm), a 9.9.9 dependency-confusion-shaped version, a scoped org, and install-time + import-time exfiltration primitives to a single hardcoded third-party intake constitutes installer-side data exfiltration.

Source: amazon-inspector (118555cc138d5dbc40c11c385af69fa4c6c5caa2fc05e6b0b49c65cc69491a78)