VDB
EN

MAL-2026-10223

Malicious code in @flex-ng/header-component (npm)

상세

The @flex-ng/header-component package was published to the npm registry by user 'click2ai' (maintainer email privatek3m@protonmail.com) as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization (the @flex-ng organizational scope) so that a misconfigured resolver installs this public lookalike instead of the intended private dependency.

The package declares a preinstall hook ("npm install @sentry/node && node examples/verify.js") that executes automatically at npm install time, before any application code runs. The bundled examples/verify.js initializes the @sentry/node client against a hardcoded, attacker-controlled Sentry DSN with sendDefaultPii enabled, resolves the installing host's public egress IP address by requesting Cloudflare's /cdn-cgi/trace endpoint (using a spoofed desktop-browser User-Agent to bypass bot challenges), then deliberately triggers a runtime exception and captures it. Flushing the event beacons the collected host telemetry (public IP plus Sentry default PII such as hostname, OS username and runtime/environment metadata) to the attacker's Sentry ingest endpoint at o4510485815754752.ingest.us.sentry.io.

Each impersonated namespace in the campaign beacons to a distinct Sentry project ID, letting the operator attribute successful installs to specific victim organizations — behaviour consistent with a dependency-confusion reconnaissance beacon rather than legitimate error monitoring. The install-time payload is byte-for-byte identical across all packages published by this account, differing only in the package name and the target DSN. This package's beacon targets Sentry project 4511632071262208.

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (79525ec099f129b72ed7d7eb8e57dbe97677cf7078e85c495540cb2bb9510f2b) Package is published under a UI-suggestive name (`@flex-ng/header-component`) but ships no UI/header code — it ships only Sentry error-reporting code plus an install-time telemetry trigger. The `preinstall` lifecycle script in package.json runs `npm install @sentry/node && node examples/verify.js`. `examples/verify.js` fetches the installer's public IP from Cloudflare's `/cdn-cgi/trace`, initializes Sentry against a hardcoded author-owned DSN (`o4510485815754752.ingest.us.sentry.io/4511632071262208`) with `sendDefaultPii: true`, then deliberately triggers and flushes a captured exception. The Sentry event payload includes the installer's public IP, hostname, OS, runtime, and environment context, all transmitted to the author's ingest project on `npm install` without user consent or README disclosure. `src/index.js` additionally hardcodes the same DSN as `DEFAULT_DSN`, so any consumer that later calls `init()` without arguments silently routes their error telemetry (with PII enabled) to the same author-controlled destination. The name/purpose mismatch (header component vs. error-reporter with install-time beacon) functions as cover for unannounced install-time data collection.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / @flex-ng/header-component
최초 영향 버전: 0

No fixed version published yet for @flex-ng/header-component (npm). Pin to a known-safe version or switch to an alternative.

참고