OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10222 confirms this npm version as malicious. The @flex-ng/filter-pipe package was published to the npm registry by user 'click2ai' (maintainer email privatek3m@protonmail.com) as part of a dependency-confusion / reconnaissance campaign...
Advisory
MAL-2026-10222
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @flex-ng/filter-pipe (npm)
Details
The @flex-ng/filter-pipe package was published to the npm registry by user 'click2ai' (maintainer email privatek3m@protonmail.com) as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization (the @flex-ng organizational scope) so that a misconfigured resolver installs this public lookalike instead of the intended private dependency.
The package declares a preinstall hook ("npm install @sentry/node && node examples/verify.js") that executes automatically at npm install time, before any application code runs. The bundled examples/verify.js initializes the @sentry/node client against a hardcoded, attacker-controlled Sentry DSN with sendDefaultPii enabled, resolves the installing host's public egress IP address by requesting Cloudflare's /cdn-cgi/trace endpoint (using a spoofed desktop-browser User-Agent to bypass bot challenges), then deliberately triggers a runtime exception and captures it. Flushing the event beacons the collected host telemetry (public IP plus Sentry default PII such as hostname, OS username and runtime/environment metadata) to the attacker's Sentry ingest endpoint at o4510485815754752.ingest.us.sentry.io.
Each impersonated namespace in the campaign beacons to a distinct Sentry project ID, letting the operator attribute successful installs to specific victim organizations — behaviour consistent with a dependency-confusion reconnaissance beacon rather than legitimate error monitoring. The install-time payload is byte-for-byte identical across all packages published by this account, differing only in the package name and the target DSN. This package's beacon targets Sentry project 4511632071262208.
---
## Source: amazon-inspector (0524da5220e53f9b627616e80e901415cca4df1e47078849f19b7479dd0ab0db) On `npm install`, the package's `preinstall` script (`npm install @sentry/node && node examples/verify.js`) runs `examples/verify.js`, which initializes the Sentry SDK against a hardcoded author-owned DSN at `o4510485815754752.ingest.us.sentry.io/4511632071262208` with `sendDefaultPii: true`. It then calls `setUserFromPublicIp()` to fetch the installer's public IP from Cloudflare's trace endpoint, attaches it as the Sentry user, deliberately triggers a captured exception, and flushes the event to the author's Sentry project. The preinstall path also force-installs `@sentry/node` from inside the lifecycle hook to ensure the exfiltration code is reachable on a default install. The result is a one-way data flow at install time, carrying the installer's public IP and host/exception metadata to a destination chosen by the package author, with no opt-in or documentation.
Decision reason
OpenSSF Malicious Packages via OSV confirms @flex-ng/filter-pipe@1.1.0 as malicious (MAL-2026-10222): Malicious code in @flex-ng/filter-pipe (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory