MAL-2026-10398

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@db-tools/main-app/MAL-2026-10398.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10398
Published
2026-07-13T05:14:59Z
Modified
2026-07-13T07:47:04.390599487Z
Summary
Malicious code in @db-tools/main-app (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (2d3b0edc39a389f4099895c647f0cdccbb08c85e56835670468e7a989b172e9f)

package.json declares a preinstall hook npm install @sentry/node && node examples/verify.js that fires on every npm install. examples/verify.js calls the library's init() with no DSN, which falls back to a hardcoded DEFAULTDSN in src/index.js (https://...@o4511652642947072.ingest.de.sentry.io/4511652667785296). verify.js then invokes setUserFromPublicIp() which fetches the installer's public egress IP from https://www.cloudflare.com/cdn-cgi/trace, attaches it as Sentry user context, throws a synthetic exception, and flushes it to the author-controlled Sentry project. The installer has no opportunity to configure or opt out — the data flow is unconditional and non-consensual on npm install. Separately, the exported init() API uses the same hardcoded DEFAULTDSN as its final fallback (after options.dsn and process.env.SENTRY_DSN) and sets sendDefaultPii: true, so any consumer that uses the library without explicitly supplying a DSN silently routes their application's exceptions and PII to the same author-owned Sentry project, with no disclosure in the README.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "2d3b0edc39a389f4099895c647f0cdccbb08c85e56835670468e7a989b172e9f",
            "id": "IN-MAL-2026-009800",
            "import_time": "2026-07-13T07:40:09.6345124Z",
            "modified_time": "2026-07-13T05:14:59Z",
            "versions": [
                "2026.6.30"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @db-tools/main-app

Package

Name
@db-tools/main-app
View open source insights on deps.dev
Purl
pkg:npm/%40db-tools/main-app

Affected ranges

Affected versions

2026.*
2026.6.30

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "1da551338e637bd22bbab30fb5351bd4748714263fc3571c77dca19779abd858",
            "tlsh": "9e12a79a35f6232301e250f0025f90d97366c67a3379e9e071598be91fc90b9d6b3ec9",
            "path": "src/index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "main-app-2026.6.30.tgz",
            "hashes": {
                "sha512_sri": "sha512-vQGfrcns5ek+ziD3aBlkgkYI+8VlulSS+uIPhwu/lXIW98mECS+gnX1IKt59efQRztGKcfG9k58kkQPtQtI9cg==",
                "sha1": "269bc7ce4c8332a53ad34847d66886fd5aa87c17"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@db-tools/main-app/MAL-2026-10398.json"