tme-error @2.8.42
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10235
Ecosystem
npm
Summary
package.json declares a preinstall hook that runs examples/verify.js on every npm install . verify.js calls the library's init() using a hardcoded DEFAULT_DSN in src/index.js pointing at the author's Sentry ingest project (o4510485815754752.ingest.us.sentry.io/4511621197856768), resolves the installer's public IP via a Cloudflare trace and sets it via Sentry.setUser({ip_address}), then deliberately triggers a TypeError so Sentry.captureException uploads an event with sendDefaultPii:true — sending the installer's public IP, hostname, username, and Node runtime metadata to the author's Sentry account at install time, without opt-in. Separately, src/index.js exports init() with the same hardcoded DEFAULT_DSN as its fallback: any consumer that calls init() without supplying options.dsn or SENTRY_DSN silently routes all captured exceptions (with sendDefaultPii enabled) to the author's Sentry project rather than the caller's. The consumer believes they are configuring their own error reporting; the destination is author-controlled.
Source: amazon-inspector (eabd8ea56621b2ea3c4ac996268ea1d20a693081064715fccc40748f3b15a354)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.