Which versions of @doaction/mapstore are malicious?

The following npm versions of @doaction/mapstore are flagged malicious: 9.9.9, 99.99.99. Treat any of these as compromised.

How do I remediate @doaction/mapstore if I installed it?

Remove @doaction/mapstore from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @doaction/mapstore part of a known attack campaign?

Yes — @doaction/mapstore is associated with the GHSA-6mxf-8m2v-f345, IN-MAL-2026-004991, IN-MAL-2026-004992, IN-MAL-2026-005185, IN-MAL-2026-005186 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @doaction/mapstore in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @doaction/mapstore and packages like it before any post-install script runs.

Malicious package

@doaction/mapstorenpm

Malicious code in @doaction/mapstore (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5374

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @doaction/mapstore

What this malware does

@doaction/[email protected] is published to the public npm registry under a sentinel-high version (99.99.99) with a pinned @doaction/shared: ^99.99.99 dependency — the canonical shape of a dependency-confusion attack designed to be resolved over a private internal @doaction/* package. package.json declares "preinstall": "node scripts/postinstall.js", which require()s @doaction/shared/bin/postinstall.js; a sibling preinstall.js wrapper similarly require()s @doaction/shared/bin/preinstall.js. The wrappers self-describe as 'Triggers safe environment telemetry on npm install' and the package's main src/index.js documents the purpose as collecting environment variables and sending them to Datadog. Both wrappers catch and silently swallow non-MODULE_NOT_FOUND errors so the install completes regardless of telemetry success/failure, minimizing installer visibility. The exfiltration runs unconditionally at npm install time with no user opt-in. Installer harm: CI/build environment variables (which routinely include cloud credentials, registry tokens, and CI secrets) are transmitted to a third-party endpoint whenever a build system mistakenly resolves this public package over the intended internal one.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malicious versions

2 flagged

9.9.999.99.99

Indicators of compromise (SHA-256)

cdeb3abd32e243ae6dc4f5464008936d92ef2e0ae204ac4b5288e76f7247d6af

9692028d96015eee60ce05d38eac9bf0c6e51dd2153cea37cad4756e3b4b3de9

bb19877e00283591ce71589511cadb1dccf94ca06e3c4293edf32da6bc95da20

17cc6504e8b262c63026df7ddc9b2380c33bedf92549260a5cce60ca891247bf

f7443dd043cb2a549062968de3c3d5a096bf8c0b78ac045a9edcb470cf0a8ef5

Frequently asked questions

No. @doaction/mapstore on npm has been identified as a malicious package (versions 9.9.9, 99.99.99 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

GHSA-6mxf-8m2v-f345IN-MAL-2026-004991IN-MAL-2026-004992IN-MAL-2026-005185IN-MAL-2026-005186

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection