-= Per source details. Do not edit below this line.=-
package.json declares a preinstall hook npm install @sentry/node && node examples/verify.js that fires on every npm install. examples/verify.js calls the library's init() with no DSN, which falls back to a hardcoded DEFAULTDSN in src/index.js (https://...@o4511652642947072.ingest.de.sentry.io/4511652667785296). verify.js then invokes setUserFromPublicIp() which fetches the installer's public egress IP from https://www.cloudflare.com/cdn-cgi/trace, attaches it as Sentry user context, throws a synthetic exception, and flushes it to the author-controlled Sentry project. The installer has no opportunity to configure or opt out — the data flow is unconditional and non-consensual on npm install. Separately, the exported init() API uses the same hardcoded DEFAULTDSN as its final fallback (after options.dsn and process.env.SENTRY_DSN) and sets sendDefaultPii: true, so any consumer that uses the library without explicitly supplying a DSN silently routes their application's exceptions and PII to the same author-owned Sentry project, with no disclosure in the README.
{
"malicious-packages-origins": [
{
"sha256": "2d3b0edc39a389f4099895c647f0cdccbb08c85e56835670468e7a989b172e9f",
"id": "IN-MAL-2026-009800",
"import_time": "2026-07-13T07:40:09.6345124Z",
"modified_time": "2026-07-13T05:14:59Z",
"versions": [
"2026.6.30"
],
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "1da551338e637bd22bbab30fb5351bd4748714263fc3571c77dca19779abd858",
"tlsh": "9e12a79a35f6232301e250f0025f90d97366c67a3379e9e071598be91fc90b9d6b3ec9",
"path": "src/index.js"
}
],
"package_integrity": [
{
"filename": "main-app-2026.6.30.tgz",
"hashes": {
"sha512_sri": "sha512-vQGfrcns5ek+ziD3aBlkgkYI+8VlulSS+uIPhwu/lXIW98mECS+gnX1IKt59efQRztGKcfG9k58kkQPtQtI9cg==",
"sha1": "269bc7ce4c8332a53ad34847d66886fd5aa87c17"
}
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@db-tools/main-app/MAL-2026-10398.json"