npm

@logdna-web/shared @13.19.37

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10225

Ecosystem

npm

Summary

The package's package.json declares a preinstall hook that runs examples/verify.js . On every npm install , that script initializes Sentry against a hardcoded author-owned DSN at o4510485815754752.ingest.us.sentry.io/4511632708141056 , resolves the installer's public IP via Cloudflare's trace endpoint and attaches it as the Sentry event's user.ip_address , deliberately triggers an exception with sendDefaultPii: true , and flushes the event — uploading installer-side identifiers and host/error context to the author's Sentry project without consent. Independently, src/index.js (the package main ) bakes the same DSN as DEFAULT_DSN , so any library consumer that calls init() without supplying their own DSN silently relays their application's exceptions, IPs, and PII to the author's Sentry account rather than failing. The package is published under the scope @logdna-web , which is brand-adjacent to LogDNA/Mezmo's legitimate @logdna scope, while shipping a Sentry-wrapper of unrelated functionality — consistent with a typosquat lure plus active install-time data collection.

Source: amazon-inspector (c60208a158c0b2ae8c9fcbcf682749ecb8bf7729be24aa00dfdfe7144f93587c)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.