AI Security Review
scanned 2h ago · by lpm-firewall-aiThe package has an install-time lifecycle hook that runs package code and sends Sentry telemetry. Runtime code is an error-reporting wrapper, but install-time public IP lookup and error reporting are unconsented side effects.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install of tme-error@2.8.42
Impact
Outbound install-time telemetry from the installing environment, including public IP association and verification error metadata.
Mechanism
preinstall Sentry telemetry execution
Attack narrative
Installing the package triggers its preinstall script, which installs @sentry/node and runs examples/verify.js. That script imports the local package, initializes Sentry using the hardcoded default DSN, fetches the installer process public IP from Cloudflare, captures a deliberate TypeError with context, and flushes the event. This is unconsented install-time network reporting, even though the same primitives are package-aligned when invoked explicitly at runtime.
Rationale
Source inspection confirms concrete install-time code execution and outbound telemetry from package installation. The package lacks broader credential theft or persistence, but the lifecycle hook turns a Sentry utility into unconsented install-time reporting, so blocking is warranted. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonexamples/verify.jssrc/index.jssrc/index.d.ts
Network endpoints4
bbdb73451ed2cd7e25e5529f78013624@o4510485815754752.ingest.us.sentry.io/4511621197856768www.cloudflare.com/cdn-cgi/traceone.one.one.one/cdn-cgi/trace1.1.1.1/cdn-cgi/trace
OSV Corroboration
OpenSSF/OSVAdvisory
MAL-2026-10235
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in tme-error (npm)
Details
The tme-error package was published to the npm registry by user 'click2ai' (maintainer email privatek3m@protonmail.com) as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization (a 'tme' internal namespace) so that a misconfigured resolver installs this public lookalike instead of the intended private dependency.
The package declares a preinstall hook ("npm install @sentry/node && node examples/verify.js") that executes automatically at npm install time, before any application code runs. The bundled examples/verify.js initializes the @sentry/node client against a hardcoded, attacker-controlled Sentry DSN with sendDefaultPii enabled, resolves the installing host's public egress IP address by requesting Cloudflare's /cdn-cgi/trace endpoint (using a spoofed desktop-browser User-Agent to bypass bot challenges), then deliberately triggers a runtime exception and captures it. Flushing the event beacons the collected host telemetry (public IP plus Sentry default PII such as hostname, OS username and runtime/environment metadata) to the attacker's Sentry ingest endpoint at o4510485815754752.ingest.us.sentry.io.
Each impersonated namespace in the campaign beacons to a distinct Sentry project ID, letting the operator attribute successful installs to specific victim organizations — behaviour consistent with a dependency-confusion reconnaissance beacon rather than legitimate error monitoring. The install-time payload is byte-for-byte identical across all packages published by this account, differing only in the package name and the target DSN. This package's beacon targets Sentry project 4511621197856768.
---
## Source: amazon-inspector (eabd8ea56621b2ea3c4ac996268ea1d20a693081064715fccc40748f3b15a354) package.json declares a preinstall hook that runs examples/verify.js on every `npm install`. verify.js calls the library's init() using a hardcoded DEFAULT_DSN in src/index.js pointing at the author's Sentry ingest project (o4510485815754752.ingest.us.sentry.io/4511621197856768), resolves the installer's public IP via a Cloudflare trace and sets it via Sentry.setUser({ip_address}), then deliberately triggers a TypeError so Sentry.captureException uploads an event with sendDefaultPii:true — sending the installer's public IP, hostname, username, and Node runtime metadata to the author's Sentry account at install time, without opt-in. Separately, src/index.js exports init() with the same hardcoded DEFAULT_DSN as its fallback: any consumer that calls init() without supplying options.dsn or SENTRY_DSN silently routes all captured exceptions (with sendDefaultPii enabled) to the author's Sentry project rather than the caller's. The consumer believes they are configuring their own error reporting; the destination is author-controlled.
References
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Malware with medium false-positive risk.
Evidence for block
- package.json defines preinstall: npm install @sentry/node && node examples/verify.js
- examples/verify.js runs during install, initializes Sentry with default DSN, resolves public IP, reports a synthetic error, and flushes
- src/index.js default init uses hardcoded Sentry DSN and sendDefaultPii: true
- src/index.js has public IP lookup to Cloudflare trace endpoints
Evidence against
- src/index.js has no import-time init; exported runtime functions are user-invoked
- No fs, credential harvesting, persistence, eval/vm, native loading, or child_process in package source
- Runtime behavior is broadly aligned with a Sentry error reporting utility
- examples/verify.js reports a test error, not harvested files or environment dumps
Behavioral surface
ChildProcessEnvironmentVarsNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.preinstall = npm install @sentry/node && node examples/verify.js
Critical
Red Install Lifecycle Script
Install-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkg•scripts.preinstall = npm install @sentry/node && node examples/verify.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 Critical1 High2 Medium3 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings