npm

yastatic-s3 @0.1.99

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 10:24 PM UTC

Malicious

OSV ID

MAL-2026-6586

Ecosystem

npm

Summary

Package name mimics Yandex's yastatic static-asset namespace. On install, postinstall.js performs an unconditional plain-HTTP GET to a hardcoded bare-IP endpoint http://130.49.177.51:18080/p/dc-20260627-yandex-geobase with query parameters carrying only the package name, version, and a fixed nonce. No environment variables, filesystem contents, credentials, or host identifiers are read or transmitted, and no code is fetched or executed from the remote endpoint. The behavior is a namespace-squatting placeholder with an install-time execution beacon: it confirms to the operator of the bare-IP endpoint that a target environment misresolved the public name into a private dependency tree. Installing this package does not exfiltrate installer data or execute attacker-controlled code, but it does reveal internal install activity to a third-party endpoint and occupies a namespace that resembles a well-known vendor's.

Source: amazon-inspector (f6abc47a32b453ee0a12ea33e7512ccdea60ed1868839e952cbeedaccd002a06)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.