Which versions of @doaction/systeminformation are malicious?

The following npm versions of @doaction/systeminformation are flagged malicious: 9.9.9. Treat any of these as compromised.

How do I remediate @doaction/systeminformation if I installed it?

@doaction/systeminformation is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed @doaction/systeminformation — how do I know if it already compromised me?

If @doaction/systeminformation was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is @doaction/systeminformation part of a known attack campaign?

Yes — @doaction/systeminformation is associated with the GHSA-xj3m-q8rc-3f5j, IN-MAL-2026-005171, IN-MAL-2026-005172 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find @doaction/systeminformation across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @doaction/systeminformation (version 9.9.9). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @doaction/systeminformation across your stack and pipelines.

Malicious package

@doaction/systeminformationnpm

Malicious code in @doaction/systeminformation (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5381

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @doaction/systeminformation

What this malware does

Package name @doaction/systeminformation impersonates the widely-used systeminformation npm package and is published at suspiciously inflated version 9.9.9. The package.json declares "preinstall": "node scripts/postinstall.js", which delegates to @doaction/shared/bin/preinstall.js — meaning a plain npm install auto-executes code from a sibling package controlled by the same author. The library entry point in src/index.js re-exports collectEnv, sendToDatadog, and reportEnvToDatadog from @doaction/shared and the reportSystemEnv helper collects host identifiers (os.hostname, platform, arch, release, cpu/memory/uptime/loadavg) plus environment variables (whitelist SYSINFO_* is overridable via extraVars) and forwards them through sendToDatadog. The wrapper around the preinstall require swallows all errors other than MODULE_NOT_FOUND, hiding failures from the installer. The combination of name impersonation of a top-100 package, install-time auto-execution, and an API whose declared purpose is shipping installer environment data to a third-party endpoint is the env-exfiltration shape.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malicious versions

1 flagged

9.9.9

Indicators of compromise (SHA-256)

7b38f4bf62236284837f0d0742f0bd12aa7cc5c0a41163713d287c7551bd1fea

4d2fd59d1828036e5c2cc49573fe68220054d50c3d41e0782735809a4c05ac45

f93d6bb944e989ce27814352bb53d38fc6e14234e4bb185921fc9c49b022c4c7

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @doaction/systeminformation (version 9.9.9). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @doaction/systeminformation across your stack and pipelines.
If you installed it — respond
@doaction/systeminformation is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If @doaction/systeminformation was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks @doaction/systeminformation before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. @doaction/systeminformation on npm has been identified as a malicious package (version 9.9.9 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

GHSA-xj3m-q8rc-3f5jIN-MAL-2026-005171IN-MAL-2026-005172

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks @doaction/systeminformation-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring