sams-sr-sdk-h5 @7.0.0
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10233
Ecosystem
npm
Summary
The package's declared preinstall script runs examples/verify.js, which fetches the installer's public egress IP via a Cloudflare trace endpoint and then deliberately throws an exception captured by Sentry and flushed to a hardcoded DSN (https://<key>@o4510485815754752.ingest.us.sentry.io/4511664042999808) with sendDefaultPii=true. Running npm install sams-sr-sdk-h5 is enough to transmit host metadata (OS, hostname, runtime, public IP, stack) to the author's Sentry project without any user action. Separately, the library's init() falls back to the same hardcoded DSN when the caller does not supply a dsn option or SENTRY_DSN environment variable, so any consumer that follows the advertised usage silently routes their application errors and end-user PII/IPs to the author-controlled Sentry account. Package name and stub README (only a title and an npm install line) are also consistent with a dependency-confusion attempt against an internal sams SDK namespace.
Source: amazon-inspector (8ef694ad4b3de8241aaab7efc741aa6f3714b40f105ffe7c4e8dffc75debdd73)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.