registry  /  enbd-react-lib  /  8.0.0

enbd-react-lib@8.0.0

A utility package that reports runtime errors to Sentry using @sentry/node.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

Install triggers unconsented network telemetry to a package-controlled Sentry DSN. The lifecycle demo resolves the installer's public IP and flushes a captured event during preinstall.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review
Trigger
npm install preinstall lifecycle hook
Impact
Installer public IP and generated error/event metadata can be sent to the author's Sentry project during package installation.
Mechanism
install-time Sentry event upload with public IP user context
Attack narrative
On installation, npm runs the preinstall script. That script installs @sentry/node and executes examples/verify.js, which loads the library, initializes Sentry with the package's hardcoded DSN, fetches the machine's public IP from Cloudflare trace, assigns it as Sentry user context, captures a deliberate exception, and flushes the event. This is unconsented install-time telemetry/exfiltration rather than a user-invoked monitoring helper.
Rationale
The package contains legitimate-looking Sentry helpers, but package installation automatically sends data to a hardcoded Sentry project and resolves/attaches the installer's public IP. That install-time network exfiltration is concrete malicious behavior.
Evidence
package.jsonexamples/verify.jssrc/index.js
Network endpoints4
abbfc11111e117a3556e36aa8f778f4b@o4510485815754752.ingest.us.sentry.io/4511675212038149www.cloudflare.com/cdn-cgi/traceone.one.one.one/cdn-cgi/trace1.1.1.1/cdn-cgi/trace

Decision evidence

public snapshot
AI called this Malicious at 94.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json preinstall runs `npm install @sentry/node && node examples/verify.js` during npm install.
  • examples/verify.js initializes src/index.js with the default hardcoded Sentry DSN, fetches public IP, captures an artificial error, and flushes events during install.
  • src/index.js default DSN points to o4510485815754752.ingest.us.sentry.io and init enables sendDefaultPii true.
  • src/index.js getPublicIp fetches Cloudflare trace endpoints and setUserFromPublicIp attaches the resolved IP to Sentry user context.
Evidence against
  • No child_process, eval/vm/Function, dynamic require, filesystem writes, persistence, or AI-agent control-surface writes found.
  • Runtime library behavior is mostly Sentry helper APIs when called by consumers, but the install hook invokes those APIs automatically.
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 10.4 KB of source, external domains: 1.1.1.1, one.one.one.one, www.cloudflare.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.preinstall = npm install @sentry/node && node examples/verify.js
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.preinstall = npm install @sentry/node && node examples/verify.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
src/index.jsView file
matchType = normalized_sha256 matchedPackage = sams-sr-sdk-h5@7.0.0 matchedPath = src/index.js matchedIdentity = npm:c2Ftcy1zci1zZGstaDU:7.0.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/index.jsView on unpkg
matchType = malicious_source_fingerprint_signature signature = 77336ad547d16a1c signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = sams-sr-sdk-h5@7.0.0 matchedPath = src/index.js matchedIdentity = npm:c2Ftcy1zci1zZGstaDU:7.0.0 similarity = 1.000 shingleOverlap = 2 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

src/index.jsView on unpkg

Findings

1 Critical3 High2 Medium3 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Similaritysrc/index.js
HighKnown Malware Source Fingerprint Signaturesrc/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings