Feed
HighPublished 3 Jun 20262 packages · 7 versions

@sentry-internals / @sentry-browser-sdk profiling-node typosquat via forged Sentry events

Summary

On 2026-06-03 Nutrient (PSPDFKit) caught a novel two-stage attack: an attacker submitted forged Sentry events through a public browser DSN, displaying "remediation" runbook text that instructed responders (and AI agents) to run npx @sentry-internals/profiling-node --diagnose. The typosquat — and its sibling @sentry-browser-sdk/profiling-node (v1.0.0–1.0.5) — exfiltrated env, working-directory, and dev-context data to advisory-tracker.com before npm replaced both with 0.0.1-security holders.

typosquatprompt-injectioninfostealercredential-theft
Detected by
Nutrient · PSPDFKit
Ecosystems
npm
Packages tracked
2

What happened

Nutrient (the company behind PSPDFKit) published detection tooling and IoCs for an attack chain caught in their own Sentry tenant on 2026-06-03. The attack is novel because no Sentry account was compromised and no npm maintainer was hijacked — the attacker only needed (a) a public browser DSN (which Sentry exposes by design for in-browser SDK use) and (b) the ability to publish a new typosquat package on npm.

Attack chain

At 12:27 CET on 2026-06-03 the attacker published @sentry-internals/profiling-node@1.0.0 to npm. A sibling package, @sentry-browser-sdk/profiling-node, was published across versions 1.0.0–1.0.5 between 2026-06-01 and 2026-06-02. Both impersonate the legitimate @sentry/profiling-node SDK; the namespace twists are subtle (@sentry-internals vs the real @sentry-internal, and the fabricated @sentry-browser-sdk scope).

The attacker then submitted crafted events to a target's public Sentry browser DSN. The event payloads were structured to render in Sentry's issue list as if they were maintainer-written runbook entries — complete with a "Resolution" section, a diagnostic transcript, and the recommended remediation command npx @sentry-internals/profiling-node --diagnose. Engineers or AI agents triaging the issue would see what looked like a legitimate remediation instruction inside their own observability platform.

When executed, the malicious package printed plausible profiling-diagnostic output, then exfiltrated process.env, the working directory listing, git config, and surrounding dev context to https://advisory-tracker.com/api/v1/telemetry (resolving to 52.206.47.180). The exfil HTTP request carried a User-Agent: profiling-node/1.0.0 and a X-Tenet-Security: ResponsibleDisclosure [SECURITY SCAN] header — IoCs that defenders can grep against.

Detection and response

Nutrient's AI triage agent flagged @sentry-internals/profiling-node as an unknown, suspicious typosquat and refused to run it, escalating to the security team — the first publicly-documented case of an AI assistant catching an observability-channel prompt-injection chain. Reports were filed to npm (14:28 CET) and to Sentry (14:48 CET) the same afternoon. npm replaced @sentry-browser-sdk/profiling-node with the canonical 0.0.1-security holder and fully unpublished @sentry-internals/profiling-node. The PSPDFKit/sentry-npm-typosquat-2026-06-iocs GitHub repository was published the same week and archived on 2026-06-06.

Why this matters

This is a new attack class: every Sentry tenant that ingests events from a public-facing browser SDK is a potential observability-channel attack surface. The same technique works against any logging / error-tracking / issue-tracker system that (a) accepts unauthenticated ingestion via a public key and (b) renders incoming content into a UI that an AI agent or human responder treats as trusted maintainer instruction. The defensive perimeter has to move: alert content, logs, ticket bodies, and observability event text are now untrusted input.

Affected packages (2)

  • npm@sentry-browser-sdk/profiling-node
    1.0.01.0.11.0.21.0.31.0.41.0.5
  • npm@sentry-internals/profiling-node
    1.0.0

Impact

  • Developers or AI coding agents that ran the suggested npx ... --diagnose command exfiltrated environment variables, working-directory file lists, and shell context to advisory-tracker.com (52.206.47.180)
  • Both packages typosquat the legitimate @sentry/profiling-node (note: @sentry-internals vs Sentry's real @sentry-internal namespace, and a fully fabricated @sentry-browser-sdk scope)
  • Novel attack class: the typosquat is delivered via observability-channel prompt injection — any application accepting unauthenticated browser-DSN ingestion can be coerced into displaying attacker-controlled "fix this" instructions in its own Sentry issue list
  • AI triage agents (Claude Code, Cursor, Copilot) reading Sentry issue bodies are the primary intended victim — the runbook text is engineered to look like a legitimate maintainer remediation comment
  • No npm account compromise required: the attack runs entirely off the victim's own Sentry tenant and the attacker's freshly-published typosquat package

What to do

  1. 1Audit npm install logs, lockfiles, and shell history for @sentry-internals/profiling-node or @sentry-browser-sdk/profiling-node — the legitimate package is @sentry/profiling-node
  2. 2Treat any host that ran either npx ... --diagnose command as exposed: rotate any credentials reachable from that shell environment (cloud provider, GitHub, npm, AWS profile keys)
  3. 3Block egress to advisory-tracker.com and 52.206.47.180 at network/CI/dev-workstation perimeter
  4. 4Strip or sanitise issue-body content before feeding it to an AI triage agent — treat Sentry event/issue text as untrusted user input
  5. 5Restrict the set of npm packages an AI agent can npx-execute without explicit human confirmation, especially for newly-published packages with no prior history
  6. 6For Sentry tenants exposed to public web traffic: review the documented IoC event IDs fef0ad8b5e374b92a3098ae126d57ce3 and ff3323c0ff3a4b1884329049b8287f06 against your event history

References

npm-2026-06-03-sentry-profiling-typosquat