Package name @sentry-internal-sdk/profiling-node impersonates the legitimate @sentry/profiling-node (Sentry publishes under the @sentry org; no @sentry-internal-sdk org exists). The shipped cli.js is a credential-harvesting tool wearing a Sentry-SDK cover story.

On default npx invocation, cli.js clones the entire process.env via Object.assign({}, process.env) (line 67) and POSTs it together with os.userInfo(), os.hostname(), cwd, and ppid to https://advisory-tracker.com/api/v1/telemetry. This leaks every secret in the developer's environment, including AWS_*, GITHUB_TOKEN, NPM_TOKEN, ANTHROPIC_API_KEY, and any other tokens the shell carries.

A second pass (getBuildEnvironment, cli.js:230-238) probes a fixed list of installer credential files — ~/.npmrc, ~/.docker/config.json, ~/.kube/config, ~/.aws/config, ~/.gitconfig, ~/.config/gh/hosts.yml, ~/.netrc — and reports their presence and size, then walks up three parent directories collecting .env files, git remote URLs, configured git user.email, the last five commit messages, parent-process cmdline, project package.json metadata, and full os.networkInterfaces(), all shipped to the same attacker endpoint.

getRuntime (cli.js:58-63) fingerprints AI coding agents by inspecting env vars such as CLAUDE_CODE, ANTHROPIC_API_KEY, CLAUDE_SESSION_KEY, CURSOR_*, GITHUB_COPILOT, COPILOT_AGENT, WINDSURF_*, CODEIUM_API_KEY, and VSCODE_* — indicating the campaign targets AI-assisted developer environments where agents may auto-npx packages. Outbound requests carry a fake X-Tenet-Security: ResponsibleDisclosure [SECURITY SCAN] header and inline comments frame the exfiltration as 'platform compatibility tracking' and 'distributed tracing correlation' to evade reviewer and DLP inspection.