Package name @doaction/systeminformation impersonates the widely-used systeminformation npm package and is published at suspiciously inflated version 9.9.9. The package.json declares "preinstall": "node scripts/postinstall.js", which delegates to @doaction/shared/bin/preinstall.js — meaning a plain npm install auto-executes code from a sibling package controlled by the same author. The library entry point in src/index.js re-exports collectEnv, sendToDatadog, and reportEnvToDatadog from @doaction/shared and the reportSystemEnv helper collects host identifiers (os.hostname, platform, arch, release, cpu/memory/uptime/loadavg) plus environment variables (whitelist SYSINFO_* is overridable via extraVars) and forwards them through sendToDatadog. The wrapper around the preinstall require swallows all errors other than MODULE_NOT_FOUND, hiding failures from the installer. The combination of name impersonation of a top-100 package, install-time auto-execution, and an API whose declared purpose is shipping installer environment data to a third-party endpoint is the env-exfiltration shape.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.