yandex-geobase @3.9.0

Summary

yandex-geobase@3.9.0 squats the internal-sounding name 'yandex-geobase' and ships a postinstall script that performs an HTTP GET to a hardcoded bare-IP endpoint (http://130.49.177.51:18080/p/dc-20260627-yandex-geobase) on every install. The beacon transmits the package name, version, and a campaign identifier, confirming successful code execution inside the installer's build environment to a third-party host. The package self-describes as a 'Dependency confusion security test placeholder', but a self-label of 'PoC' does not change the installer-facing behavior: any build pipeline that resolves this public name in place of an internal Yandex package will silently signal an external bare-IP host that attacker-controlled code ran inside the installer's environment. The destination is a bare IP on a non-standard port (not a registry, vendor domain, or telemetry endpoint), which is consistent with dependency-confusion canary infrastructure rather than legitimate package behavior.

Source: amazon-inspector (1f6219d513896736aee31ce33719d6ae2d1f5b03293ecdfe884d944bbb3eb99a)