@doaction/authnpm

@doaction/[email protected] is shaped as a public-registry shadow of a private internal package: scoped name pattern, inflated 99.99.99 version, and a self-described 'environment telemetry for internal testing' purpose. Its preinstall hook (package.json declares "preinstall": "node scripts/postinstall.js") runs scripts/postinstall.js, which unconditionally require('@doaction/shared/bin/postinstall.js'). The @doaction/shared dependency is pinned to ^99.99.99 — another inflated public-registry artifact — and its contents are not shipped in this tarball, so the actual install-time code is whatever resolves as @doaction/shared from the public registry. Any organization with a private @doaction scope that does not lock its registry resolution will, on npm install, automatically execute attacker-controlled code from the public @doaction/shared. The package's exported reportAuthEnv() additionally forwards a whitelist of AUTH_* environment variables to Datadog via @doaction/shared, expanding the scope of data the unseen dependency can collect at runtime. The combination of the inflated version, the scoped-name shadowing pattern, the preinstall delegation to an unshipped same-author dependency, and the env-forwarding API is the canonical dependency-confusion attack shape.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.