registry  /  enbd-react-error-boundry  /  6.0.0

enbd-react-error-boundry@6.0.0

A utility package that reports runtime errors to Sentry using @sentry/node.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

Install runs a verification script that initializes Sentry with the package author's hardcoded DSN, fetches the installer host public IP, captures a deliberate error, and flushes it. This creates unconsented install-time telemetry/exfiltration.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review
Trigger
npm install / preinstall lifecycle
Impact
Installer environment metadata and public IP can be sent to a package-controlled Sentry project without user invocation.
Mechanism
install-time Sentry error report with public IP context
Attack narrative
On installation, npm executes the preinstall script. That script installs @sentry/node and runs examples/verify.js, which imports the package, initializes Sentry using the built-in DSN, resolves the machine's public IP through Cloudflare trace, triggers a deliberate exception, and flushes the event. The behavior is not merely a user-invoked error-reporting library path; it runs at install time and sends telemetry to a package-controlled Sentry endpoint.
Rationale
Source inspection confirms concrete install-time network exfiltration to a hardcoded Sentry DSN via package.json preinstall and examples/verify.js. This is unconsented lifecycle execution of telemetry collection, so the package should be blocked.
Evidence
package.jsonexamples/verify.jssrc/index.jssrc/index.d.ts
Network endpoints4
abbfc11111e117a3556e36aa8f778f4b@o4510485815754752.ingest.us.sentry.io/4511675212038149www.cloudflare.com/cdn-cgi/traceone.one.one.one/cdn-cgi/trace1.1.1.1/cdn-cgi/trace

Decision evidence

public snapshot
AI called this Malicious at 96.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json defines preinstall: npm install @sentry/node && node examples/verify.js
  • examples/verify.js runs during install, calls init(), setUserFromPublicIp(), check(), and flush()
  • src/index.js has a hardcoded default Sentry DSN for o4510485815754752.ingest.us.sentry.io
  • src/index.js defaults sendDefaultPii: true and can attach public IP via setUserFromPublicIp
  • examples/verify.js deliberately throws an error and flushes it to Sentry during preinstall
Evidence against
  • No child_process usage beyond manifest lifecycle command observed in source files
  • No filesystem writes, agent config mutation, persistence files, or destructive code found
  • Runtime API is otherwise package-aligned error reporting when explicitly used
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 10.4 KB of source, external domains: 1.1.1.1, one.one.one.one, www.cloudflare.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.preinstall = npm install @sentry/node && node examples/verify.js
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.preinstall = npm install @sentry/node && node examples/verify.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
src/index.jsView file
matchType = normalized_sha256 matchedPackage = sams-sr-sdk-h5@7.0.0 matchedPath = src/index.js matchedIdentity = npm:c2Ftcy1zci1zZGstaDU:7.0.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/index.jsView on unpkg
matchType = malicious_source_fingerprint_signature signature = 77336ad547d16a1c signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = sams-sr-sdk-h5@7.0.0 matchedPath = src/index.js matchedIdentity = npm:c2Ftcy1zci1zZGstaDU:7.0.0 similarity = 1.000 shingleOverlap = 2 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

src/index.jsView on unpkg

Findings

1 Critical3 High2 Medium3 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Similaritysrc/index.js
HighKnown Malware Source Fingerprint Signaturesrc/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings