npm

chat-adapter-zoom @12.1.31

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10228

Ecosystem

npm

Summary

Package presents itself as a Zoom chat adapter but ships no Zoom or chat functionality; it is a thin wrapper over @sentry/node. The package.json preinstall script runs 'npm install @sentry/node && node examples/verify.js'. examples/verify.js initializes Sentry against a hardcoded DEFAULT_DSN pointing to o4510485815754752.ingest.us.sentry.io/4511709729914880, fetches the installer's public IP from Cloudflare via setUserFromPublicIp(), attaches it as user.ip_address, triggers an error, and calls Sentry.captureException + flush(5000), delivering the installer's public IP and event data to the author's Sentry project on every install with no user action or opt-in. The exported src/index.js init() also falls back to the same hardcoded DEFAULT_DSN with sendDefaultPii forced to true when callers do not supply their own DSN, silently routing consumer error data and PII to the author. The name/functionality mismatch (keywords target 'zoom'/'chat-adapter' while the code is a Sentry relay) indicates the package is designed to attract unrelated installs.

Source: amazon-inspector (f6308ea0d3fc30c63044a57022cf4b300f6625c458862499b01b8cb0f2847da4)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.