express-bunker @6.1.0
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10500
Ecosystem
npm
Summary
express-bunker@6.1.0 ships a postinstall script that performs an HTTP GET to a hardcoded bare IP over plain HTTP (http://130.49.177.51:18080/p/dc-20260627-yandex-geobase) at npm install time, transmitting the package name, version, and a fixed campaign nonce (bb-express-bunker-20260628). The beacon fires unconditionally on every install with no opt-out. The package name and beacon path indicate a dependency-confusion squat against an internal namespace (yandex-geobase): any host or CI system that mis-resolves an internal dependency name to this public artifact silently signals successful name shadowing to the operator-controlled endpoint, disclosing installer environment information and confirming exploitability for follow-on attacks. A README self-label as a 'benign PoC' does not change the installer-side effect — the public artifact performs install-time outbound network I/O the installer did not opt into, and the same install vector could ship arbitrary code in a later version.
Source: amazon-inspector (68139b9a62e1d546de6ce2e46d5203782dbf54f1af2edbd2b8f509528eb0f000)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.