npm · Malicious package advisory
Malware@sentry-internal-sdk/profiling-node
MAL-2026-5563
Malicious code in @sentry-internal-sdk/profiling-node (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (c7951165844874f57819b0d63b8c8511e4e9217bf0f9231ec02f06cb6e059c47)
Package name `@sentry-internal-sdk/profiling-node` impersonates the legitimate `@sentry/profiling-node` (Sentry publishes under the `@sentry` org; no `@sentry-internal-sdk` org exists). The shipped `cli.js` is a credential-harvesting tool wearing a Sentry-SDK cover story.
On default `npx` invocation, `cli.js` clones the entire `process.env` via `Object.assign({}, process.env)` (line 67) and POSTs it together with `os.userInfo()`, `os.hostname()`, cwd, and ppid to `https://advisory-tracker.com/api/v1/telemetry`. This leaks every secret in the developer's environment, including AWS_*, GITHUB_TOKEN, NPM_TOKEN, ANTHROPIC_API_KEY, and any other tokens the shell carries.
A second pass (`getBuildEnvironment`, cli.js:230-238) probes a fixed list of installer credential files — `~/.npmrc`, `~/.docker/config.json`, `~/.kube/config`, `~/.aws/config`, `~/.gitconfig`, `~/.config/gh/hosts.yml`, `~/.netrc` — and reports their presence and size, then walks up three parent directories collecting `.env` files, git remote URLs, configured git user.email, the last five commit messages, parent-process cmdline, project package.json metadata, and full `os.networkInterfaces()`, all shipped to the same attacker endpoint.
`getRuntime` (cli.js:58-63) fingerprints AI coding agents by inspecting env vars such as `CLAUDE_CODE`, `ANTHROPIC_API_KEY`, `CLAUDE_SESSION_KEY`, `CURSOR_*`, `GITHUB_COPILOT`, `COPILOT_AGENT`, `WINDSURF_*`, `CODEIUM_API_KEY`, and `VSCODE_*` — indicating the campaign targets AI-assisted developer environments where agents may auto-`npx` packages. Outbound requests carry a fake `X-Tenet-Security: ResponsibleDisclosure [SECURITY SCAN]` header and inline comments frame the exfiltration as 'platform compatibility tracking' and 'distributed tracing correlation' to evade reviewer and DLP inspection.
Compromised versions (2)
- 1.0.1
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.