npm

box-react-uix @18.6.91

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10227

Ecosystem

npm

Summary

package.json declares a preinstall script ("npm install @sentry/node && node examples/verify.js") that fires automatically on npm install. examples/verify.js invokes the library's init() without providing a DSN, which causes src/index.js to fall back to a hardcoded DEFAULT_DSN pointing at an author-owned Sentry project (o4510485815754752.ingest.us.sentry.io/4511675212038149). The wrapper enables Sentry's sendDefaultPii: true, resolves the installer's public IP via Cloudflare's trace endpoint, attaches it as the Sentry user identity, and triggers a synthetic exception that is captured and transmitted to the author's Sentry ingest — so simply running npm install box-react-uix ships the installer's public IP and host/error context to a hardcoded author-controlled endpoint with no opt-in. Separately, the library's runtime init() defaults any consumer who forgets to pass a dsn to the same author-owned Sentry destination, silently relaying caller-side exceptions and PII to the author. The package name suggests a Box (box.com) React UI toolkit, but the tarball contains no UI code — only this Sentry phone-home wrapper — consistent with a lure/name-mismatch pattern.

Source: amazon-inspector (861d3b0850fd047d978191773d5ba2e070a1fa598074b63774561e6fa30c0aa4)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.