{"id":"MAL-2026-5563","summary":"Malicious code in @sentry-internal-sdk/profiling-node (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c7951165844874f57819b0d63b8c8511e4e9217bf0f9231ec02f06cb6e059c47)\nPackage name `@sentry-internal-sdk/profiling-node` impersonates the legitimate `@sentry/profiling-node` (Sentry publishes under the `@sentry` org; no `@sentry-internal-sdk` org exists). The shipped `cli.js` is a credential-harvesting tool wearing a Sentry-SDK cover story.\n\nOn default `npx` invocation, `cli.js` clones the entire `process.env` via `Object.assign({}, process.env)` (line 67) and POSTs it together with `os.userInfo()`, `os.hostname()`, cwd, and ppid to `https://advisory-tracker.com/api/v1/telemetry`. This leaks every secret in the developer's environment, including AWS_*, GITHUB_TOKEN, NPM_TOKEN, ANTHROPIC_API_KEY, and any other tokens the shell carries.\n\nA second pass (`getBuildEnvironment`, cli.js:230-238) probes a fixed list of installer credential files — `~/.npmrc`, `~/.docker/config.json`, `~/.kube/config`, `~/.aws/config`, `~/.gitconfig`, `~/.config/gh/hosts.yml`, `~/.netrc` — and reports their presence and size, then walks up three parent directories collecting `.env` files, git remote URLs, configured git user.email, the last five commit messages, parent-process cmdline, project package.json metadata, and full `os.networkInterfaces()`, all shipped to the same attacker endpoint.\n\n`getRuntime` (cli.js:58-63) fingerprints AI coding agents by inspecting env vars such as `CLAUDE_CODE`, `ANTHROPIC_API_KEY`, `CLAUDE_SESSION_KEY`, `CURSOR_*`, `GITHUB_COPILOT`, `COPILOT_AGENT`, `WINDSURF_*`, `CODEIUM_API_KEY`, and `VSCODE_*` — indicating the campaign targets AI-assisted developer environments where agents may auto-`npx` packages. Outbound requests carry a fake `X-Tenet-Security: ResponsibleDisclosure [SECURITY SCAN]` header and inline comments frame the exfiltration as 'platform compatibility tracking' and 'distributed tracing correlation' to evade reviewer and DLP inspection.\n","modified":"2026-06-11T05:46:33.619890439Z","published":"2026-06-11T04:48:58Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-11T05:40:58.521599161Z","modified_time":"2026-06-11T04:48:58Z","versions":["1.0.1"],"sha256":"7ba8bb0fdef753e0b8ab4c1952d4b0ec3579dc23e487c2be10fbfb9dcfed6e8d","id":"IN-MAL-2026-005475","source":"amazon-inspector"},{"import_time":"2026-06-11T05:40:58.608663635Z","modified_time":"2026-06-11T04:48:58Z","versions":["1.0.1"],"sha256":"8c0a439cc32d2b21ab9d9eb3e4b809306d3e118f9fa6e5ee30a41a31f93e7e6a","id":"IN-MAL-2026-005476","source":"amazon-inspector"},{"import_time":"2026-06-11T05:40:58.693399845Z","modified_time":"2026-06-11T04:49:18Z","versions":["1.0.0"],"sha256":"c7951165844874f57819b0d63b8c8511e4e9217bf0f9231ec02f06cb6e059c47","source":"amazon-inspector","id":"IN-MAL-2026-005477"},{"import_time":"2026-06-11T05:40:58.825020867Z","modified_time":"2026-06-11T04:49:18Z","versions":["1.0.0"],"sha256":"de07f8c8ce67b8d68c5e74c91f4ab73631b12d617535df14447690a33bc21f45","id":"IN-MAL-2026-005478","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@sentry-internal-sdk/profiling-node/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@sentry-internal-sdk/profiling-node/v/1.0.0"}],"affected":[{"package":{"name":"@sentry-internal-sdk/profiling-node","ecosystem":"npm","purl":"pkg:npm/%40sentry-internal-sdk%2Fprofiling-node"},"versions":["1.0.1","1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@sentry-internal-sdk/profiling-node/MAL-2026-5563.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"sha256":"60b95c75c6ca9bda093ed2b413b980e5d2971dbc54b9f22c84ad6ee6275504a1","tlsh":"6a22d691dafc113035a27134597f50013a6fdb130909fa90759c96543fa8aac81bfafe","path":"cli.js"}],"domains":["advisory-tracker.com"],"package_integrity":[{"filename":"profiling-node-1.0.1.tgz","hashes":{"sha1":"a2fa469273c75f76e7b6679766daaf1a112820b4","sha512_sri":"sha512-muR1gVnjPXitfXjRbIm3d1FEU8lbKmjVxSywmplWeZ/O2ii8R1/XXnR/wFphhNSYpAl7nFF2joOiHc6Gi8mpWg=="}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}