npm

@flex-ng/header-component @0.1.0

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10223

Ecosystem

npm

Summary

Package is published under a UI-suggestive name ( @flex-ng/header-component ) but ships no UI/header code — it ships only Sentry error-reporting code plus an install-time telemetry trigger. The preinstall lifecycle script in package.json runs npm install @sentry/node && node examples/verify.js . examples/verify.js fetches the installer's public IP from Cloudflare's /cdn-cgi/trace , initializes Sentry against a hardcoded author-owned DSN ( o4510485815754752.ingest.us.sentry.io/4511632071262208 ) with sendDefaultPii: true , then deliberately triggers and flushes a captured exception. The Sentry event payload includes the installer's public IP, hostname, OS, runtime, and environment context, all transmitted to the author's ingest project on npm install without user consent or README disclosure. src/index.js additionally hardcodes the same DSN as DEFAULT_DSN , so any consumer that later calls init() without arguments silently routes their error telemetry (with PII enabled) to the same author-controlled destination. The name/purpose mismatch (header component vs. error-reporter with install-time beacon) functions as cover for unannounced install-time data collection.

Source: amazon-inspector (79525ec099f129b72ed7d7eb8e57dbe97677cf7078e85c495540cb2bb9510f2b)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.