Which versions of @doaction/systeminformation are malicious?

The following npm versions of @doaction/systeminformation are flagged malicious: 9.9.9. Treat any of these as compromised.

How do I remediate @doaction/systeminformation if I installed it?

Remove @doaction/systeminformation from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @doaction/systeminformation part of a known attack campaign?

Yes — @doaction/systeminformation is associated with the GHSA-xj3m-q8rc-3f5j, IN-MAL-2026-005171, IN-MAL-2026-005172 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @doaction/systeminformation in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @doaction/systeminformation and packages like it before any post-install script runs.

Malicious package

@doaction/systeminformationnpm

Malicious code in @doaction/systeminformation (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5381

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @doaction/systeminformation

What this malware does

Package name @doaction/systeminformation impersonates the widely-used systeminformation npm package and is published at suspiciously inflated version 9.9.9. The package.json declares "preinstall": "node scripts/postinstall.js", which delegates to @doaction/shared/bin/preinstall.js — meaning a plain npm install auto-executes code from a sibling package controlled by the same author. The library entry point in src/index.js re-exports collectEnv, sendToDatadog, and reportEnvToDatadog from @doaction/shared and the reportSystemEnv helper collects host identifiers (os.hostname, platform, arch, release, cpu/memory/uptime/loadavg) plus environment variables (whitelist SYSINFO_* is overridable via extraVars) and forwards them through sendToDatadog. The wrapper around the preinstall require swallows all errors other than MODULE_NOT_FOUND, hiding failures from the installer. The combination of name impersonation of a top-100 package, install-time auto-execution, and an API whose declared purpose is shipping installer environment data to a third-party endpoint is the env-exfiltration shape.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malicious versions

1 flagged

9.9.9

Indicators of compromise (SHA-256)

7b38f4bf62236284837f0d0742f0bd12aa7cc5c0a41163713d287c7551bd1fea

4d2fd59d1828036e5c2cc49573fe68220054d50c3d41e0782735809a4c05ac45

f93d6bb944e989ce27814352bb53d38fc6e14234e4bb185921fc9c49b022c4c7

Frequently asked questions

No. @doaction/systeminformation on npm has been identified as a malicious package (version 9.9.9 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

GHSA-xj3m-q8rc-3f5jIN-MAL-2026-005171IN-MAL-2026-005172

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection