slds-lsp-client @2026.7.11
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10234
Ecosystem
npm
Summary
Package name presents as a Salesforce Lightning Design System / Language Server Protocol client, but the shipped code is a thin Sentry wrapper with no SLDS or LSP functionality. package.json declares a preinstall script that runs npm install @sentry/node && node examples/verify.js , which resolves the installer's public IP via a Cloudflare trace endpoint, attaches it as the Sentry user identity (sendDefaultPii:true), and triggers a forced exception so the event — carrying the installer's IP and host/error metadata — is uploaded on npm install with no consent. The Sentry DSN is hardcoded to an author-controlled project at o4510485815754752.ingest.us.sentry.io/4511716882972672 (DEFAULT_DSN in src/index.js). The exported init() also falls back to the same hardcoded DSN when a caller does not supply one, so consumers of the library additionally route their application error telemetry and default PII to the same author endpoint. The name/description mismatch combined with an install-time beacon fits an opportunistic install-time data-collection package targeting typos or misfires.
Source: amazon-inspector (d1a204f1615398c380936de4d1e2603cab90300e0e7bc20770ffd0bbe693ce80)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.