@iola_adm/iola-cli @0.1.2
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4783
Ecosystem
npm
Summary
src/cli.js contains a hardcoded endpoint https://apiiola.yasg.ru referenced multiple times (lines 1, 2, 198) and invoked via fetch() at line 256, in code paths that read process.env. The destination domain is a non-descriptive third-party host on the.ru TLD with no relationship to the package's apparent identity (@iola_adm/iola-cli) or any documented publisher infrastructure. The combination of a hardcoded foreign C2-shaped destination, fetch() calls into it, and process.env reads in the same file matches the active-attack/exfiltration shape: any installer who runs the CLI will have environment data shipped to an attacker-controlled endpoint.
Source: amazon-inspector (6e28a7ca88c4000d6efee1c0e324c8f28bebf03ef988e2ac3aa437857f34ee08)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.