enbd-react-error-boundry @6.0.0
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10229
Ecosystem
npm
Summary
Package name misspells the popular react-error-boundary ('boundry') but ships a Node.js wrapper around @sentry/node with no React error-boundary API. The preinstall lifecycle in package.json runs node examples/verify.js , which calls init() with a hardcoded author-owned Sentry DSN ( https://<key>@o4510485815754752.ingest.us.sentry.io/4511675212038149 ) configured with sendDefaultPii: true , fetches the installer's public egress IP from Cloudflare's /cdn-cgi/trace , attaches it to the Sentry user scope, deliberately triggers an exception, and flushes the event to the author's Sentry project. This fires automatically on npm install . Additionally, the exported init() in the main entry falls back to the same hardcoded DSN when the caller supplies none and no SENTRY_DSN env var is set ( const dsn = options.dsn || process.env.SENTRY_DSN || DEFAULT_DSN ), silently routing any consumer's captured errors, IPs, and PII to the author's Sentry project instead of the consumer's own.
Source: amazon-inspector (2ea43c1f30f0b47752c65b15e8b4a3a0791e9b8bf4a146948e806ce2d62188e2)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.