yastatic-s3 @0.1.0
Vulnerability report · Last retrieved from osv.dev June 29, 2026 at 9:56 AM UTC
OSV ID
MAL-2026-6586
Ecosystem
npm
Summary
On install, the package's postinstall lifecycle script issues an HTTP GET to a hardcoded bare IP (130.49.177.51:18080) over plain HTTP, transmitting the package name, version, and a nonce in the query string. This confirms code execution on the installer's machine and reachability to a third-party endpoint without installer consent. The package name 'yastatic-s3' and the beacon path '/p/dc-20260627-yandex-geobase' impersonate Yandex's internal 'yastatic' static-asset / geobase namespace, consistent with a dependency-confusion attack targeting Yandex builds that resolve a private package name from the public npm registry. Installer harm is concrete: any build pipeline that pulls this package contacts the attacker-controlled host at install time, revealing internal build identifiers and demonstrating attacker code execution on the host.
Source: amazon-inspector (6b9f052f01ba026de50b8dd1c26ccb2fe661367414f9139676f94eccaa3b8c50)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.