npm

@flex-ng/error-component @2.1.0

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10221

Ecosystem

npm

Summary

package.json declares a preinstall hook ("npm install @sentry/node && node examples/verify.js") that runs on every npm install . examples/verify.js calls init() without a DSN; src/index.js falls back to a hardcoded DSN at https://o4510485815754752.ingest.us.sentry.io/4511632071262208 (author-controlled Sentry project). The script then resolves the installer's public egress IP (via a Cloudflare trace lookup in setUserFromPublicIp), enables sendDefaultPii: true, deliberately triggers an error, and ships the resulting event — carrying the installer's IP and host context — to the author's Sentry org. The installer never opts in: there is no DSN configuration step, the destination is hardcoded, and the README does not document this behavior. Additionally, the exported init() API hardcodes the same author DSN as its fallback, so any consumer who calls init() without explicit configuration silently relays their exceptions and PII to the author's Sentry account instead of their own.

Source: amazon-inspector (ee4da18b90ebb68eae630b191b37737312e50fe4fdc0a8472616ba070a7348fb)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.