Which versions of @doaction/examples are malicious?

The following npm versions of @doaction/examples are flagged malicious: 99.99.99. Treat any of these as compromised.

How do I remediate @doaction/examples if I installed it?

Remove @doaction/examples from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @doaction/examples part of a known attack campaign?

Yes — @doaction/examples is associated with the GHSA-3hg6-5qgp-v676, IN-MAL-2026-004985, IN-MAL-2026-004986 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @doaction/examples in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @doaction/examples and packages like it before any post-install script runs.

Malicious package

@doaction/examplesnpm

Malicious code in @doaction/examples (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5372

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @doaction/examples

What this malware does

@doaction/[email protected] declares preinstall: node scripts/postinstall.js in package.json, which requires @doaction/shared/bin/postinstall.js. The package self-describes as 'for internal testing' and depends on @doaction/shared at ^99.99.99. On npm install, the preinstall hook auto-executes and loads telemetry code from the sibling @doaction/shared package, which collects environment variables and transmits them to a remote destination — the installer has no opportunity to consent and no documented opt-out at this stage. The version 99.99.99 combined with @doaction scope and 'internal testing' wording is the canonical dependency-confusion override fingerprint: any organization with private @doaction/* packages whose installer pulls from public npm instead of an internal registry will resolve and execute this code in place of their internal package. A secondary integrity concern: a separate scripts/preinstall.js file exists but is unreferenced, while the actual preinstall hook points at a file named postinstall.js — a naming inconsistency that obscures what executes at install time.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malicious versions

1 flagged

99.99.99

Indicators of compromise (SHA-256)

44da964c1ac1406847f9192c36e492ae4a8bb056aed718e6b72aee397fff34ac

361bc047872fceb7885c47404eef734b43ce8e5e7f13554e79d011be6f383339

a5cf9d24ddb8566d91003c9f3ea71b41c84e2756534fc389c693b60e99081493

Frequently asked questions

No. @doaction/examples on npm has been identified as a malicious package (version 99.99.99 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

GHSA-3hg6-5qgp-v676IN-MAL-2026-004985IN-MAL-2026-004986

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection