Which versions of @doaction/eventemitter are malicious?

The following npm versions of @doaction/eventemitter are flagged malicious: 9.9.9. Treat any of these as compromised.

How do I remediate @doaction/eventemitter if I installed it?

Remove @doaction/eventemitter from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @doaction/eventemitter part of a known attack campaign?

Yes — @doaction/eventemitter is associated with the GHSA-926j-qqmq-889c, IN-MAL-2026-005193, IN-MAL-2026-005192 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @doaction/eventemitter in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @doaction/eventemitter and packages like it before any post-install script runs.

Malicious package

@doaction/eventemitternpm

Malicious code in @doaction/eventemitter (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5370

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @doaction/eventemitter

What this malware does

On npm install, package.json declares "preinstall": "node scripts/postinstall.js", and scripts/preinstall.js unconditionally executes require('@doaction/shared/bin/preinstall.js'). This delegates to a sibling package that collects environment variables and transmits them to a third-party telemetry endpoint (Datadog) without any user opt-in, env-var gate, or interactive prompt. The README only documents reportEventEnv() as an opt-in runtime API, but the preinstall hook bypasses that consent path entirely. The package self-describes as "internal testing" with a placeholder version 9.9.9 under the @doaction scope, matching the dependency-confusion attack shape: an internal-sounding scope plus an outsized version is engineered to win resolution against a private-registry counterpart and execute attacker-controlled code in the installer's CI/build environment. The eventemitter package itself is a thin auto-execution carrier; the harmful payload lives in the @doaction/shared dependency it pulls and immediately invokes.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malicious versions

1 flagged

9.9.9

Indicators of compromise (SHA-256)

2cfab693f8195c9b7d400aa6bcc6db510b89cd4920bdb622cc06b369a4ed226f

356613a140f3268f2633d292a37370ac2324af412bd3dbf6be2603f426db80cf

5221b351f74900764906fd20a62e5c3f390473ed87a1d4fb781e34d3ffd2f623

Frequently asked questions

No. @doaction/eventemitter on npm has been identified as a malicious package (version 9.9.9 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

GHSA-926j-qqmq-889cIN-MAL-2026-005193IN-MAL-2026-005192

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection