npm · Malicious package advisory
Malware@doaction/rrweb-sdk
MAL-2026-5376
Malicious code in @doaction/rrweb-sdk (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (6efd52baa69926a32dbac2a3c5eb53c361935e9a3386d2893bf2d7506ab4dfea)
@doaction/rrweb-sdk@9.9.9 is a dependency-confusion / namespace-impersonation package targeting the rrweb session-recording SDK ecosystem. The package's `package.json` declares `"preinstall": "node scripts/postinstall.js"`, and `scripts/postinstall.js` does `require('@doaction/shared/bin/postinstall.js')` unconditionally on `npm install`. The transitive `@doaction/shared` dependency collects installer-side environment data and POSTs it to a Datadog endpoint (the package self-describes as Datadog environment telemetry, and `src/index.js` only re-exports `collectEnv` / `sendToDatadog` / `reportEnvToDatadog` — there is no rrweb session-recording code despite the name and keywords). The 9.9.9 version number is a canonical dependency-confusion marker designed to win semver resolution over a legitimately-named internal `rrweb-sdk` package. The package therefore exfiltrates the installer's environment variables (commonly containing CI tokens, cloud credentials, and internal hostnames) to a third party before the consumer's code ever runs. A second lifecycle script `scripts/preinstall.js` ships alongside but is not the one wired into the hook, consistent with templated mass-publication across multiple impersonated SDK names.
## Source: ghsa-malware (8ae23ff4baeae18c4ffdd4dbdc04091dc055aa34b13a2d906d7f798e3c0c209b)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Compromised versions (2)
- 99.99.99
- 9.9.9
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.