ryusaka / りゅうさか

🚨 TL;DR: Attackers are sending fake Sentry bug alerts to projects using public Sentry DSNs. The fake alert is designed to trick AI agents into running a malicious `npx` command that looks like a Sentry profiling diagnostic. Do NOT run commands from Sentry issues/logs/alerts unless verified. These are not legitimate Sentry fix commands. The malicious package reportedly steals environment variables/secrets and sends them to advisory-tracker[.]com.

We are aware of the issue impacting the availability of Cloudflare’s network. It was not an attack; root cause was disabling some logging to help mitigate this week’s React CVE. Will share full details in a blog post today. Sites should be back online now, but I understand the frustration this causes and the work being