registry  /  enbd-react-logger  /  4.0.0

enbd-react-logger@4.0.0

A utility package that reports runtime errors to Sentry using @sentry/node.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

Install-time lifecycle code initializes telemetry with the package author's hardcoded Sentry DSN, fetches the install host public IP, captures a test exception, and flushes it. This creates unconsented install-time network reporting from the consumer environment.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review
Trigger
npm install runs package.json preinstall
Impact
Consumer install environment public IP and Sentry event metadata can be sent to the package-controlled Sentry project without user opt-in.
Mechanism
install-time Sentry telemetry and public IP collection
Attack narrative
On npm install, the preinstall hook installs @sentry/node and runs examples/verify.js. That script imports the package, initializes Sentry using the hardcoded default DSN, calls a Cloudflare trace endpoint to resolve the host public IP, sets that IP as Sentry user context, deliberately throws/captures an error, and flushes telemetry. The behavior is not merely an exported logging utility because it executes during install without consumer application opt-in.
Rationale
Source inspection confirms unconsented install-time network telemetry to a hardcoded Sentry project plus public IP collection. Although the package exposes a plausible logging API, executing that reporting path in preinstall is concrete malicious install-hook abuse.
Evidence
package.jsonexamples/verify.jssrc/index.jssrc/index.d.tsREADME.md
Network endpoints4
abbfc11111e117a3556e36aa8f778f4b@o4510485815754752.ingest.us.sentry.io/4511675212038149www.cloudflare.com/cdn-cgi/traceone.one.one.one/cdn-cgi/trace1.1.1.1/cdn-cgi/trace

Decision evidence

public snapshot
AI called this Malicious at 97.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json preinstall runs npm install @sentry/node && node examples/verify.js during consumer install
  • examples/verify.js calls init() with no DSN, so src/index.js falls back to a hardcoded Sentry DSN
  • examples/verify.js calls setUserFromPublicIp with Cloudflare trace URL during preinstall
  • examples/verify.js intentionally triggers an exception via check() and flushes Sentry events during preinstall
  • src/index.js defaults sendDefaultPii: true and reports captured exceptions to Sentry
Evidence against
  • No child_process beyond declared lifecycle command, eval/vm/Function, native/binary loading, persistence, destructive writes, or AI-agent control-surface writes found
  • Runtime logging API is package-aligned when explicitly used by an application
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 10.4 KB of source, external domains: 1.1.1.1, one.one.one.one, www.cloudflare.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.preinstall = npm install @sentry/node && node examples/verify.js
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.preinstall = npm install @sentry/node && node examples/verify.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
src/index.jsView file
matchType = normalized_sha256 matchedPackage = sams-sr-sdk-h5@7.0.0 matchedPath = src/index.js matchedIdentity = npm:c2Ftcy1zci1zZGstaDU:7.0.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/index.jsView on unpkg
matchType = malicious_source_fingerprint_signature signature = 77336ad547d16a1c signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = sams-sr-sdk-h5@7.0.0 matchedPath = src/index.js matchedIdentity = npm:c2Ftcy1zci1zZGstaDU:7.0.0 similarity = 1.000 shingleOverlap = 2 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

src/index.jsView on unpkg

Findings

1 Critical3 High2 Medium3 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Similaritysrc/index.js
HighKnown Malware Source Fingerprint Signaturesrc/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings