@doaction/types@99.99.99 is a dependency-confusion lure targeting an internal @doaction scope. The package.json declares "version": "99.99.99" and pins "@doaction/shared": "^99.99.99" — the canonical version-flooding pattern designed to beat any private-registry copy of the same scoped name. The preinstall lifecycle hook ("preinstall": "node scripts/postinstall.js") runs automatically on npm install and require()s @doaction/shared/bin/preinstall.js; src/index.js wires reportEnvToDatadog from @doaction/shared, whose declared purpose is to collect environment variables and POST them to Datadog. The installer never opts in. The require() is wrapped in a try/catch that swallows everything except MODULE_NOT_FOUND, suppressing exfil errors in CI logs. The combination — internal-scope name confusion, 99.99.99 version flood, automatic preinstall execution, env-var shipment via a sibling package, and silenced error output — is the textbook dependency-confusion exfiltration shape and produces direct attacker benefit (capture of internal env vars, which routinely include CI tokens, cloud credentials, and registry auth).

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.