MAL-2026-5563

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@sentry-internal-sdk/profiling-node/MAL-2026-5563.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5563

Published

2026-06-11T04:48:58Z

Modified

2026-06-11T05:46:33.619890439Z

Summary

Malicious code in @sentry-internal-sdk/profiling-node (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c7951165844874f57819b0d63b8c8511e4e9217bf0f9231ec02f06cb6e059c47)

Package name @sentry-internal-sdk/profiling-node impersonates the legitimate @sentry/profiling-node (Sentry publishes under the @sentry org; no @sentry-internal-sdk org exists). The shipped cli.js is a credential-harvesting tool wearing a Sentry-SDK cover story.

On default npx invocation, cli.js clones the entire process.env via Object.assign({}, process.env) (line 67) and POSTs it together with os.userInfo(), os.hostname(), cwd, and ppid to https://advisory-tracker.com/api/v1/telemetry. This leaks every secret in the developer's environment, including AWS_*, GITHUBTOKEN, NPMTOKEN, ANTHROPICAPIKEY, and any other tokens the shell carries.

A second pass (getBuildEnvironment, cli.js:230-238) probes a fixed list of installer credential files — ~/.npmrc, ~/.docker/config.json, ~/.kube/config, ~/.aws/config, ~/.gitconfig, ~/.config/gh/hosts.yml, ~/.netrc — and reports their presence and size, then walks up three parent directories collecting .env files, git remote URLs, configured git user.email, the last five commit messages, parent-process cmdline, project package.json metadata, and full os.networkInterfaces(), all shipped to the same attacker endpoint.

getRuntime (cli.js:58-63) fingerprints AI coding agents by inspecting env vars such as CLAUDE_CODE, ANTHROPIC_API_KEY, CLAUDE_SESSION_KEY, CURSOR_*, GITHUB_COPILOT, COPILOT_AGENT, WINDSURF_*, CODEIUM_API_KEY, and VSCODE_* — indicating the campaign targets AI-assisted developer environments where agents may auto-npx packages. Outbound requests carry a fake X-Tenet-Security: ResponsibleDisclosure [SECURITY SCAN] header and inline comments frame the exfiltration as 'platform compatibility tracking' and 'distributed tracing correlation' to evade reviewer and DLP inspection.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005475",
            "import_time": "2026-06-11T05:40:58.521599161Z",
            "sha256": "7ba8bb0fdef753e0b8ab4c1952d4b0ec3579dc23e487c2be10fbfb9dcfed6e8d",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T04:48:58Z",
            "versions": [
                "1.0.1"
            ]
        },
        {
            "id": "IN-MAL-2026-005476",
            "versions": [
                "1.0.1"
            ],
            "sha256": "8c0a439cc32d2b21ab9d9eb3e4b809306d3e118f9fa6e5ee30a41a31f93e7e6a",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T04:48:58Z",
            "import_time": "2026-06-11T05:40:58.608663635Z"
        },
        {
            "id": "IN-MAL-2026-005477",
            "import_time": "2026-06-11T05:40:58.693399845Z",
            "sha256": "c7951165844874f57819b0d63b8c8511e4e9217bf0f9231ec02f06cb6e059c47",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T04:49:18Z",
            "versions": [
                "1.0.0"
            ]
        },
        {
            "id": "IN-MAL-2026-005478",
            "versions": [
                "1.0.0"
            ],
            "sha256": "de07f8c8ce67b8d68c5e74c91f4ab73631b12d617535df14447690a33bc21f45",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T04:49:18Z",
            "import_time": "2026-06-11T05:40:58.825020867Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @sentry-internal-sdk/profiling-node

Package

Name: @sentry-internal-sdk/profiling-node; View open source insights on deps.dev
Purl: pkg:npm/%40sentry-internal-sdk%2Fprofiling-node

Affected ranges

Affected versions

1.*

1.0.0

1.0.1

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "cli.js",
            "sha256": "60b95c75c6ca9bda093ed2b413b980e5d2971dbc54b9f22c84ad6ee6275504a1",
            "tlsh": "6a22d691dafc113035a27134597f50013a6fdb130909fa90759c96543fa8aac81bfafe"
        }
    ],
    "package_integrity": [
        {
            "filename": "profiling-node-1.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-muR1gVnjPXitfXjRbIm3d1FEU8lbKmjVxSywmplWeZ/O2ii8R1/XXnR/wFphhNSYpAl7nFF2joOiHc6Gi8mpWg==",
                "sha1": "a2fa469273c75f76e7b6679766daaf1a112820b4"
            }
        }
    ],
    "domains": [
        "advisory-tracker.com"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@sentry-internal-sdk/profiling-node/MAL-2026-5563.json"