npm

salesforce-vscode-slds @2026.7.11

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10232

Ecosystem

npm

Summary

The package name mimics Salesforce's SLDS/VS Code ecosystem but ships no SLDS functionality; it is a generic Sentry uploader authored by an unrelated party. The preinstall script ( npm install @sentry/node && node examples/verify.js ) runs on npm install : examples/verify.js initializes Sentry with a hardcoded DSN ( https://d4616e08f531447bd415e91fd21940a6@o4510485815754752.ingest.us.sentry.io/4511716882972672 ) and sendDefaultPii: true , fetches the installer's public IP from Cloudflare's cdn-cgi/trace , attaches it as ip_address on the Sentry user scope, deliberately throws to generate an event, and flushes to the hardcoded endpoint — so installing the package emits the developer's egress IP and process metadata to a Sentry project the installer does not own. The package main ( src/index.js ) also hardcodes the same DSN as DEFAULT_DSN , so any consumer calling init() / check / wrap / reportError without an explicit dsn or SENTRY_DSN silently routes their runtime errors and default PII to the same author-controlled project. The typosquat name is the lure for developers expecting a Salesforce package.

Source: amazon-inspector (0917b0d6d85d4b6d865e8d7febb4b84fe2ef0d526d18c1d754706f3213b2a485)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.