salesforce-vscode-slds
discovered 2026-07-13Dependency-confusion lookalike impersonating the Salesforce SLDS / Lightning Design System internal/private npm namespace. package.json preinstall auto-installs @sentry/node then runs bundled examples/verify.js -> src/index.js at npm install time: resolves the host public egress IP via Cloudflare /cdn-cgi/trace (spoofed desktop UA), then deliberately triggers and captures a runtime exception with sendDefaultPii: true to beacon host telemetry (public IP + hostname, OS username, runtime/env metadata) to attacker Sentry project 4511716882972672 on o4510485815754752.ingest.us.sentry.io. Published 2026-07-13 by npm user click2ai ([email protected]). OSV malicious range introduced "0" (entire package malicious from first publish). Published 2026-07-13, same account/payload; added to the OSSF PR after reviewer feedback.
Threat types
Malicious versions
- 0
Campaigns
Indicators
Techniques
- ttp T1195.001 Compromise Software Dependencies and Development Toolsuses
- ttp T1036 Masqueradinguses
- ttp T1546 Event Triggered Executionuses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttp T1016 System Network Configuration Discoveryuses
- ttp T1082 System Information Discoveryuses
- ttp T1102 Web Serviceuses
- ttp T1041 Exfiltration Over C2 Channeluses
- ttp T1071.001 Application Layer Protocol: Web Protocolsuses