OSV ID
MAL-2026-10236
Ecosystem
npm
Summary
On npm install , the package's preinstall hook executes examples/verify.js , which initializes Sentry against a hardcoded author-controlled DSN (project o4510485815754752.ingest.us.sentry.io/4511630928838656 ), fetches the installer's public IP from Cloudflare's trace endpoint, attaches it as the Sentry user identity, deliberately throws to generate an event, and flushes upstream. Every install of this version transmits the installer's public egress IP and host-side error context to a fixed remote destination the installer did not choose. Separately, src/index.js hardcodes the same DSN as DEFAULT_DSN and enables sendDefaultPii: true ; consumers who call the advertised init / check / reportError API without supplying their own DSN or setting SENTRY_DSN silently route their captured exceptions and PII into the author's Sentry account. The relay is not the documented purpose of an error-reporting helper, and the destination is hardcoded to the author rather than configured by the installer.
Source: amazon-inspector (6012c6bcd17a7184340cb8ed6dc94d58d97b92826c0f510d81ddebd4160d86f0)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.