{"id":"MAL-2026-5381","summary":"Malicious code in @doaction/systeminformation (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (4d2fd59d1828036e5c2cc49573fe68220054d50c3d41e0782735809a4c05ac45)\nPackage name `@doaction/systeminformation` impersonates the widely-used `systeminformation` npm package and is published at suspiciously inflated version `9.9.9`. The `package.json` declares `\"preinstall\": \"node scripts/postinstall.js\"`, which delegates to `@doaction/shared/bin/preinstall.js` — meaning a plain `npm install` auto-executes code from a sibling package controlled by the same author. The library entry point in `src/index.js` re-exports `collectEnv`, `sendToDatadog`, and `reportEnvToDatadog` from `@doaction/shared` and the `reportSystemEnv` helper collects host identifiers (`os.hostname`, platform, arch, release, cpu/memory/uptime/loadavg) plus environment variables (whitelist `SYSINFO_*` is overridable via `extraVars`) and forwards them through `sendToDatadog`. The wrapper around the preinstall require swallows all errors other than `MODULE_NOT_FOUND`, hiding failures from the installer. The combination of name impersonation of a top-100 package, install-time auto-execution, and an API whose declared purpose is shipping installer environment data to a third-party endpoint is the env-exfiltration shape.\n\n## Source: ghsa-malware (7b38f4bf62236284837f0d0742f0bd12aa7cc5c0a41163713d287c7551bd1fea)\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\n","aliases":["GHSA-xj3m-q8rc-3f5j"],"modified":"2026-06-09T19:01:32.062145817Z","published":"2026-06-09T14:17:42Z","database_specific":{"malicious-packages-origins":[{"id":"GHSA-xj3m-q8rc-3f5j","import_time":"2026-06-09T15:22:39.856711545Z","source":"ghsa-malware","modified_time":"2026-06-09T14:17:43Z","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}],"sha256":"7b38f4bf62236284837f0d0742f0bd12aa7cc5c0a41163713d287c7551bd1fea"},{"source":"amazon-inspector","versions":["9.9.9"],"id":"IN-MAL-2026-005171","modified_time":"2026-06-09T18:16:13Z","import_time":"2026-06-09T18:50:22.027734715Z","sha256":"4d2fd59d1828036e5c2cc49573fe68220054d50c3d41e0782735809a4c05ac45"},{"source":"amazon-inspector","versions":["9.9.9"],"id":"IN-MAL-2026-005172","modified_time":"2026-06-09T18:16:14Z","import_time":"2026-06-09T18:50:22.114874015Z","sha256":"f93d6bb944e989ce27814352bb53d38fc6e14234e4bb185921fc9c49b022c4c7"}]},"references":[{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-xj3m-q8rc-3f5j"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@doaction/systeminformation/v/9.9.9"}],"affected":[{"package":{"name":"@doaction/systeminformation","ecosystem":"npm","purl":"pkg:npm/%40doaction%2Fsysteminformation"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["9.9.9"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"domains":["e1gjv2ne5a.execute-api.ap-northeast-1.amazonaws.com"],"evidence_files":[{"path":"package.json","tlsh":"1df02420ab129a3719c167a25c37811267b08b2f1044b90c2ecb1118830daba62bb32d","sha256":"ec46fe9d1dc62fc47757b3a1c82bff2b2eceea8d2679df07f6f6dab9df2bf664"},{"path":"scripts/postinstall.js","tlsh":"5ad0a7897a49a7bc3ca1452a15831206767141241220b1a87c9603528314144672b4a1","sha256":"992cfad515426f7b2f24a7b9f75bc53a2dd67a05ccedc26c59629ffc16d5cd76"},{"path":"src/index.js","tlsh":"4531ace226a4a755359734d4884bc1526730e2633e4ab4ed3ccf53d09f9d8a863f3e68","sha256":"ad259e619b1d85087086d53b7543463126b235f757a610509df8d880de79e6c8"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@doaction/systeminformation/MAL-2026-5381.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}