npm: '@doaction' Scope Floods Registry with 15 Malicious Packages in Coordinated Drop
A coordinated campaign has flooded the npm registry with 15 malicious packages published under the '@doaction' scope, all of which were flagged and removed in a single minute.
Key findings
- A coordinated campaign published 15 malicious packages under the '@doaction' npm scope
- All 15 advisories were disclosed simultaneously in a single minute on June 9, 2026
- The package '@doaction/http' was published just one hour before the registry-wide takedown
- All packages in the campaign received a Critical severity rating, indicating high-risk payloads
- The naming convention targets common utilities like 'sudo-prompt' and 'systeminformation'
On June 9, 2026, security teams executed a rapid takedown of 15 malicious packages on the npm registry, all published under the unified @doaction scope. The entire batch of advisories was published simultaneously at 14:17 UTC, indicating a coordinated sweep by registry administrators. Metadata reveals that at least one of the packages, @doaction/http, was registered and published just an hour prior to the sweep, pointing to an active, fast-moving campaign that was caught almost immediately after deployment.\n\nThe campaign relied heavily on a structured naming convention designed to mimic legitimate enterprise utilities or internal development libraries. By utilizing the @doaction scope, the attacker published packages with names that closely mirror common open-source dependencies and system tools. Among the 15 flagged packages are @doaction/sudo-prompt, @doaction/systeminformation, @doaction/types, @doaction/auth, and @doaction/shared. This naming pattern suggests the threat actor may have been preparing for a dependency confusion attack or attempting to trick developers who mistakenly configure their package managers to pull from public registries instead of private scopes.\n\nWhile specific behavioral logs were not detailed in the initial disclosures, the uniform Critical severity rating across all 15 advisories indicates highly dangerous payloads. In scoped attacks of this nature, malicious packages typically leverage post-install scripts to execute arbitrary commands immediately upon installation. These scripts often attempt to harvest environment variables, exfiltrate sensitive cloud credentials, or establish reverse shells back to attacker-controlled infrastructure.\n\nThe implications for any development environment that pulled these packages are severe. Security advisories warn that any system executing these packages must be treated as fully compromised. Because the malicious code runs with the privileges of the installing user, it can access local files, SSH keys, and active session tokens. Organizations must not only remove the packages but also conduct a thorough forensic review of any build pipelines or developer workstations that may have fetched these dependencies.\n\nTo defend against this campaign, security teams should immediately scan their environments and audit package-lock.json or yarn.lock files for any references to the @doaction scope. The following block lists a representative subset of the malicious packages identified in this burst:\n\n@doaction/types\n@doaction/sudo-prompt\n@doaction/systeminformation\n@doaction/auth\n@doaction/shared\n@doaction/http\n@doaction/wasm-loader\n\nIf any of these packages are found, the affected systems must be isolated, and all credentials associated with those environments must be rotated immediately.\n\nThis incident highlights the ongoing challenge of scoped package abuse on npm. Attackers frequently register custom scopes to host a suite of malicious packages, hoping to exploit misconfigured registry routing or developer oversight. The rapid detection and simultaneous takedown of the @doaction campaign underscore the critical role of automated registry monitoring and coordinated disclosure in mitigating supply chain threats before they can achieve widespread distribution.