Which versions of @doaction/shared are malicious?

The following npm versions of @doaction/shared are flagged malicious: 9.9.9, 99.99.99. Treat any of these as compromised.

How do I remediate @doaction/shared if I installed it?

Remove @doaction/shared from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @doaction/shared part of a known attack campaign?

Yes — @doaction/shared is associated with the GHSA-5784-q7wq-ch43, IN-MAL-2026-004990, IN-MAL-2026-004989, IN-MAL-2026-005182, IN-MAL-2026-005181 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @doaction/shared in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @doaction/shared and packages like it before any post-install script runs.

Malicious package

@doaction/sharednpm

Malicious code in @doaction/shared (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5377

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @doaction/shared

What this malware does

@doaction/[email protected] is a dependency-confusion lure that exfiltrates installer environment metadata on every npm install. package.json declares "preinstall": "node bin/postinstall.js", which executes automatically with no opt-in. The script collects a whitelist of environment variables (PATH, HOME, USER, HOSTNAME, PWD, SHELL, AWS_REGION, AZURE_REGION, GCP_REGION, COMPUTERNAME, KUBERNETES_* service host/port, NODE_ENV, etc.) along with os.hostname(), and POSTs them to a hardcoded endpoint at https://e1gjv2ne5a.execute-api.ap-northeast-1.amazonaws.com/v1/input. The code labels this reportEnvToDatadog, but the destination is an AWS API Gateway under the attacker's account — not a Datadog ingest host — making the function name misdirection. The package itself is functionally hollow (empty dependency list, generic "shared" framing); its only effect on install is the beacon. The version 9.9.9 combined with the @doaction scope and publishConfig.access=restricted is the canonical shape of a dependency-confusion attack designed to outrank a private internal package of the same name in a victim's resolver, so any organization using a private @doaction/shared at a lower version will pull this exfiltrator instead.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malicious versions

2 flagged

9.9.999.99.99

Indicators of compromise (SHA-256)

98d75ba1280a1cb2547f2f27463f9d25b4307aec35450d826701dfe96b8c7e15

20361c1cbc298e1b6d0bbfdee93b3c36b77c1d766814002b7a98b4a41771401f

6ad7512f525f8b1793c1998dda1ba9c16b5155336b786d0893efaa0ca6c9327b

27af59798bd2f5065b98c55744c3e0bd3ad2ca6df39a2e89f43fec13d09ba396

caba10985bd532eb067af52e175856a72552c9b9306895ea9fba9c1083277248

Frequently asked questions

No. @doaction/shared on npm has been identified as a malicious package (versions 9.9.9, 99.99.99 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

GHSA-5784-q7wq-ch43IN-MAL-2026-004990IN-MAL-2026-004989IN-MAL-2026-005182IN-MAL-2026-005181

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection