@idms-corp/auth-ui @1.0.0
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10224
Ecosystem
npm
Summary
The package's preinstall hook executes examples/verify.js, which initializes Sentry against a hardcoded DSN pointing at the author's Sentry project (o4510485815754752.ingest.us.sentry.io/4511630867824640). The script resolves the installer's public IP via Cloudflare's /cdn-cgi/trace, attaches it to the Sentry scope, and triggers a captured exception, causing the installer's public IP plus default Sentry host metadata (hostname, OS, runtime) to be transmitted to the author's endpoint on every npm install. sendDefaultPii is set to true. Additionally, init() falls back to the same hardcoded author DSN when callers do not pass their own, so any consuming application that calls init() without an explicit dsn silently routes its captured exceptions (stack traces, request data, environment context, PII) to the author's Sentry project rather than the caller's. Package metadata further indicates a namespace-squat shape: scope name suggests an internal organization auth/UI component, but the shipped functionality is a thin Sentry wrapper with no auth or UI code, and the README is a 4-line stub with no disclosure of the install-time network activity or the hardcoded DSN fallback.
Source: amazon-inspector (d0cb0bf81d8c3d114426e2f11d505911497ac5664410f5837dd0bfbb502b6681)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.