npm

tme-xca @3.0.0

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10236

Ecosystem

npm

Summary

On npm install , the package's preinstall hook executes examples/verify.js , which initializes Sentry against a hardcoded author-controlled DSN (project o4510485815754752.ingest.us.sentry.io/4511630928838656 ), fetches the installer's public IP from Cloudflare's trace endpoint, attaches it as the Sentry user identity, deliberately throws to generate an event, and flushes upstream. Every install of this version transmits the installer's public egress IP and host-side error context to a fixed remote destination the installer did not choose. Separately, src/index.js hardcodes the same DSN as DEFAULT_DSN and enables sendDefaultPii: true ; consumers who call the advertised init / check / reportError API without supplying their own DSN or setting SENTRY_DSN silently route their captured exceptions and PII into the author's Sentry account. The relay is not the documented purpose of an error-reporting helper, and the destination is hardcoded to the author rather than configured by the installer.

Source: amazon-inspector (6012c6bcd17a7184340cb8ed6dc94d58d97b92826c0f510d81ddebd4160d86f0)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.