VDB
KO

MAL-2026-10231

Malicious code in enbd-react-logger (npm)

Details

The enbd-react-logger package was published to the npm registry by user 'click2ai' (maintainer email privatek3m@protonmail.com) as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization (an 'enbd' internal namespace (Emirates NBD-style naming)) so that a misconfigured resolver installs this public lookalike instead of the intended private dependency.

The package declares a preinstall hook ("npm install @sentry/node && node examples/verify.js") that executes automatically at npm install time, before any application code runs. The bundled examples/verify.js initializes the @sentry/node client against a hardcoded, attacker-controlled Sentry DSN with sendDefaultPii enabled, resolves the installing host's public egress IP address by requesting Cloudflare's /cdn-cgi/trace endpoint (using a spoofed desktop-browser User-Agent to bypass bot challenges), then deliberately triggers a runtime exception and captures it. Flushing the event beacons the collected host telemetry (public IP plus Sentry default PII such as hostname, OS username and runtime/environment metadata) to the attacker's Sentry ingest endpoint at o4510485815754752.ingest.us.sentry.io.

Each impersonated namespace in the campaign beacons to a distinct Sentry project ID, letting the operator attribute successful installs to specific victim organizations — behaviour consistent with a dependency-confusion reconnaissance beacon rather than legitimate error monitoring. The install-time payload is byte-for-byte identical across all packages published by this account, differing only in the package name and the target DSN. This package's beacon targets Sentry project 4511675212038149.

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9cdc21d084552fb54dabc91eaa7e69a235ded689a1b73f363cf723b3a9b77644) On npm install, the package's preinstall script runs examples/verify.js, which imports src/index.js and invokes init() with a hardcoded author-owned Sentry DSN (o4510485815754752.ingest.us.sentry.io/4511675212038149), then calls setUserFromPublicIp() to fetch the installer's public egress IP via cloudflare's trace endpoint, and then deliberately triggers a null-deref exception that is captureException'd with sendDefaultPii:true. The result: installer's public IP, hostname/environment context, and PII-enabled error metadata are unconditionally transmitted to the author's Sentry project at install time, with no user consent, no opt-out, and no documentation. In addition, src/index.js hardcodes the same DSN as DEFAULT_DSN and defaults sendDefaultPii:true, so any downstream code calling init() without supplying its own DSN silently routes all captured exceptions and user identities to the same author-controlled Sentry account. The package name 'enbd-react-logger' matches the naming convention of Emirates NBD ('ENBD') internal tooling; combined with a stub README, generic author metadata, and install-time phone-home, this fits the shape of a dependency-confusion attack targeting an internal package name so that a misconfigured internal build resolves the public artifact and beacons the CI/build host's egress IP to attacker infrastructure.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / enbd-react-logger
Introduced in: 0

No fixed version published yet for enbd-react-logger (npm). Pin to a known-safe version or switch to an alternative.

References