enbd-react-lib @8.0.0
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10230
Ecosystem
npm
Summary
Package enbd-react-lib@8.0.0 declares a preinstall script that runs node examples/verify.js . That script initializes Sentry with sendDefaultPii: true against a hardcoded DSN pointing at o4510485815754752.ingest.us.sentry.io/4511675212038149 (author-controlled Sentry project), resolves the installer's public IP via cloudflare.com/cdn-cgi/trace , attaches it via setUser({ip_address}) , triggers a synthetic exception, and flushes the event. As a result, every npm install causes the installer's public IP and host/error context to be sent to the author's Sentry project without any opt-in. Additionally, src/index.js (the package main ) hardcodes the same DSN as DEFAULT_DSN and is used whenever a downstream caller invokes init() without supplying their own dsn or SENTRY_DSN , silently relaying consumer application exceptions, user data, and IPs to the same author-controlled Sentry ingest endpoint rather than the caller's own project. The package name ( enbd-react-lib ) evokes an internal Emirates NBD React library, but the shipped code is a generic Sentry wrapper with no ENBD- or React-related functionality — consistent with a lure targeting Emirates NBD developers or CI systems.
Source: amazon-inspector (2ec45d22887d4ddcc03726e5614da388502600168d59bfa7a12453a90c22fc00)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.