npm

@flex-ng/filter-pipe @1.1.0

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10222

Ecosystem

npm

Summary

On npm install , the package's preinstall script ( npm install @sentry/node && node examples/verify.js ) runs examples/verify.js , which initializes the Sentry SDK against a hardcoded author-owned DSN at o4510485815754752.ingest.us.sentry.io/4511632071262208 with sendDefaultPii: true . It then calls setUserFromPublicIp() to fetch the installer's public IP from Cloudflare's trace endpoint, attaches it as the Sentry user, deliberately triggers a captured exception, and flushes the event to the author's Sentry project. The preinstall path also force-installs @sentry/node from inside the lifecycle hook to ensure the exfiltration code is reachable on a default install. The result is a one-way data flow at install time, carrying the installer's public IP and host/exception metadata to a destination chosen by the package author, with no opt-in or documentation.

Source: amazon-inspector (0524da5220e53f9b627616e80e901415cca4df1e47078849f19b7479dd0ab0db)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.