OSV ID
MAL-2026-10102
Ecosystem
npm
Summary
On npm install , postinstall.js issues an HTTP GET to a hardcoded bare-IP endpoint at http://130.49.177.51:18080/p/dc-20260627-yandex-geobase carrying the package name, version, and a campaign tag ( bb-yandex-geobase-20260627 ). The beacon fires automatically as a lifecycle script with no user opt-in, confirming code execution inside the installer's environment and exposing the installer's source IP / network position to an attacker-controlled host over plain HTTP. The package additionally declares a dependency on yandex-geobase and labels its callback with that package name, consistent with a dependency-confusion probe targeting the yandex-geobase namespace. Installer impact: any machine that resolves and installs dc-repro silently emits a network callback to the hardcoded IP at install time.
Source: amazon-inspector (0b27530f3aa6f2f96c3aa77ffad048e51ee4479d60c81ce59687772b6985a99b)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.