npm

sams-sr-sdk-h5 @7.0.0

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10233

Ecosystem

npm

Summary

The package's declared preinstall script runs examples/verify.js, which fetches the installer's public egress IP via a Cloudflare trace endpoint and then deliberately throws an exception captured by Sentry and flushed to a hardcoded DSN (https://<key>@o4510485815754752.ingest.us.sentry.io/4511664042999808) with sendDefaultPii=true. Running npm install sams-sr-sdk-h5 is enough to transmit host metadata (OS, hostname, runtime, public IP, stack) to the author's Sentry project without any user action. Separately, the library's init() falls back to the same hardcoded DSN when the caller does not supply a dsn option or SENTRY_DSN environment variable, so any consumer that follows the advertised usage silently routes their application errors and end-user PII/IPs to the author-controlled Sentry account. Package name and stub README (only a title and an npm install line) are also consistent with a dependency-confusion attempt against an internal sams SDK namespace.

Source: amazon-inspector (8ef694ad4b3de8241aaab7efc741aa6f3714b40f105ffe7c4e8dffc75debdd73)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.