@logdna-web/shared @13.19.37
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10225
Ecosystem
npm
Summary
The package's package.json declares a preinstall hook that runs examples/verify.js . On every npm install , that script initializes Sentry against a hardcoded author-owned DSN at o4510485815754752.ingest.us.sentry.io/4511632708141056 , resolves the installer's public IP via Cloudflare's trace endpoint and attaches it as the Sentry event's user.ip_address , deliberately triggers an exception with sendDefaultPii: true , and flushes the event — uploading installer-side identifiers and host/error context to the author's Sentry project without consent. Independently, src/index.js (the package main ) bakes the same DSN as DEFAULT_DSN , so any library consumer that calls init() without supplying their own DSN silently relays their application's exceptions, IPs, and PII to the author's Sentry account rather than failing. The package is published under the scope @logdna-web , which is brand-adjacent to LogDNA/Mezmo's legitimate @logdna scope, while shipping a Sentry-wrapper of unrelated functionality — consistent with a typosquat lure plus active install-time data collection.
Source: amazon-inspector (c60208a158c0b2ae8c9fcbcf682749ecb8bf7729be24aa00dfdfe7144f93587c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.