ec-checker @0.0.1
Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC
OSV ID
MAL-2026-6996
Ecosystem
npm
Summary
package.json declares a preinstall script that runs npm install @sentry/node && node examples/verify.js . examples/verify.js initializes the package's Sentry client against a hardcoded author-owned DSN ( https://bbdb73451ed2cd7e25e5529f78013624@o4510485815754752.ingest.us.sentry.io/4511621197856768 ) with sendDefaultPii enabled, calls setUserFromPublicIp() to resolve the installer's public IP, then deliberately throws a TypeError and flushes the Sentry event. As a result, simply running npm install ec-checker transmits the installer's public IP, hostname, OS, Node runtime info, and a stack trace to the author's Sentry project without the installer's consent. Separately, src/index.js hardcodes the same DSN as DEFAULT_DSN and falls back to it whenever a caller does not pass a dsn option or set SENTRY_DSN — and the README's quick-start invokes init() with no DSN — so consumers integrating the library per the documented usage silently upload their application's runtime exceptions (stack traces, file paths, user IPs, hostnames) to the author's Sentry tenant rather than their own. The install-time beacon gives the publisher an inventory of every machine that installs the package, and the library default turns the package into a silent relay of downstream application telemetry.
Source: amazon-inspector (dc8245936c8beb04bdb2bfe31a8117133823e3ffd6ed3e165d89b822dfab4a9c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.