enbd-react-logger @4.0.0
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10231
Ecosystem
npm
Summary
On npm install, the package's preinstall script runs examples/verify.js, which imports src/index.js and invokes init() with a hardcoded author-owned Sentry DSN (o4510485815754752.ingest.us.sentry.io/4511675212038149), then calls setUserFromPublicIp() to fetch the installer's public egress IP via cloudflare's trace endpoint, and then deliberately triggers a null-deref exception that is captureException'd with sendDefaultPii:true. The result: installer's public IP, hostname/environment context, and PII-enabled error metadata are unconditionally transmitted to the author's Sentry project at install time, with no user consent, no opt-out, and no documentation. In addition, src/index.js hardcodes the same DSN as DEFAULT_DSN and defaults sendDefaultPii:true, so any downstream code calling init() without supplying its own DSN silently routes all captured exceptions and user identities to the same author-controlled Sentry account. The package name 'enbd-react-logger' matches the naming convention of Emirates NBD ('ENBD') internal tooling; combined with a stub README, generic author metadata, and install-time phone-home, this fits the shape of a dependency-confusion attack targeting an internal package name so that a misconfigured internal build resolves the public artifact and beacons the CI/build host's egress IP to attacker infrastructure.
Source: amazon-inspector (9cdc21d084552fb54dabc91eaa7e69a235ded689a1b73f363cf723b3a9b77644)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.