MAL-2026-6996
Malicious code in ec-checker (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (dc8245936c8beb04bdb2bfe31a8117133823e3ffd6ed3e165d89b822dfab4a9c) package.json declares a preinstall script that runs `npm install @sentry/node && node examples/verify.js`. examples/verify.js initializes the package's Sentry client against a hardcoded author-owned DSN (`https://bbdb73451ed2cd7e25e5529f78013624@o4510485815754752.ingest.us.sentry.io/4511621197856768`) with sendDefaultPii enabled, calls setUserFromPublicIp() to resolve the installer's public IP, then deliberately throws a TypeError and flushes the Sentry event. As a result, simply running `npm install ec-checker` transmits the installer's public IP, hostname, OS, Node runtime info, and a stack trace to the author's Sentry project without the installer's consent. Separately, src/index.js hardcodes the same DSN as DEFAULT_DSN and falls back to it whenever a caller does not pass a `dsn` option or set `SENTRY_DSN` — and the README's quick-start invokes init() with no DSN — so consumers integrating the library per the documented usage silently upload their application's runtime exceptions (stack traces, file paths, user IPs, hostnames) to the author's Sentry tenant rather than their own. The install-time beacon gives the publisher an inventory of every machine that installs the package, and the library default turns the package into a silent relay of downstream application telemetry.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for ec-checker (npm). Pin to a known-safe version or switch to an alternative.