MAL-2026-10102

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dc-repro/MAL-2026-10102.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10102
Published
2026-07-09T23:10:31Z
Modified
2026-07-09T23:47:00.595786178Z
Summary
Malicious code in dc-repro (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0b27530f3aa6f2f96c3aa77ffad048e51ee4479d60c81ce59687772b6985a99b)

On npm install, postinstall.js issues an HTTP GET to a hardcoded bare-IP endpoint at http://130.49.177.51:18080/p/dc-20260627-yandex-geobase carrying the package name, version, and a campaign tag (bb-yandex-geobase-20260627). The beacon fires automatically as a lifecycle script with no user opt-in, confirming code execution inside the installer's environment and exposing the installer's source IP / network position to an attacker-controlled host over plain HTTP. The package additionally declares a dependency on yandex-geobase and labels its callback with that package name, consistent with a dependency-confusion probe targeting the yandex-geobase namespace. Installer impact: any machine that resolves and installs dc-repro silently emits a network callback to the hardcoded IP at install time.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "0b27530f3aa6f2f96c3aa77ffad048e51ee4479d60c81ce59687772b6985a99b",
            "id": "IN-MAL-2026-009603",
            "import_time": "2026-07-09T23:30:56.516272151Z",
            "modified_time": "2026-07-09T23:10:31Z",
            "versions": [
                "2.1.2"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / dc-repro

Package

Affected ranges

Affected versions

2.*
2.1.2

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "97e02b7889f0803a1df88588f3936857978bd042f065e484ea8e11a01fc2997bb735e0",
            "sha256": "9006fd8275255b0d8a97b898ab94973d2af97194f620afe8e469923ac585e71e",
            "path": "postinstall.js"
        },
        {
            "sha256": "786487b17660e6a82bb3dfb2944b9de3d9f8a17c5a3010cdc348061ef84f24ab",
            "tlsh": "0bc01228cc51afb368ca32f9847e2046a9a04003c5086c2c72de089c8f8986e686f625",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "dc-repro-2.1.2.tgz",
            "hashes": {
                "sha512_sri": "sha512-GcHKkIne7c23Ho55TcoA6DHyVyNDfunFpGj0cIHAIbJUprncvq6LAjPVd6B8lMcCM1iSPNMjMrpPvb81HpR2Yw==",
                "sha1": "2eb6ce7469a46e5ed000a95ed3f34f838ded7756"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dc-repro/MAL-2026-10102.json"