-= Per source details. Do not edit below this line.=-
On npm install, postinstall.js issues an HTTP GET to a hardcoded bare-IP endpoint at http://130.49.177.51:18080/p/dc-20260627-yandex-geobase carrying the package name, version, and a campaign tag (bb-yandex-geobase-20260627). The beacon fires automatically as a lifecycle script with no user opt-in, confirming code execution inside the installer's environment and exposing the installer's source IP / network position to an attacker-controlled host over plain HTTP. The package additionally declares a dependency on yandex-geobase and labels its callback with that package name, consistent with a dependency-confusion probe targeting the yandex-geobase namespace. Installer impact: any machine that resolves and installs dc-repro silently emits a network callback to the hardcoded IP at install time.
{
"malicious-packages-origins": [
{
"sha256": "0b27530f3aa6f2f96c3aa77ffad048e51ee4479d60c81ce59687772b6985a99b",
"id": "IN-MAL-2026-009603",
"import_time": "2026-07-09T23:30:56.516272151Z",
"modified_time": "2026-07-09T23:10:31Z",
"versions": [
"2.1.2"
],
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"tlsh": "97e02b7889f0803a1df88588f3936857978bd042f065e484ea8e11a01fc2997bb735e0",
"sha256": "9006fd8275255b0d8a97b898ab94973d2af97194f620afe8e469923ac585e71e",
"path": "postinstall.js"
},
{
"sha256": "786487b17660e6a82bb3dfb2944b9de3d9f8a17c5a3010cdc348061ef84f24ab",
"tlsh": "0bc01228cc51afb368ca32f9847e2046a9a04003c5086c2c72de089c8f8986e686f625",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "dc-repro-2.1.2.tgz",
"hashes": {
"sha512_sri": "sha512-GcHKkIne7c23Ho55TcoA6DHyVyNDfunFpGj0cIHAIbJUprncvq6LAjPVd6B8lMcCM1iSPNMjMrpPvb81HpR2Yw==",
"sha1": "2eb6ce7469a46e5ed000a95ed3f34f838ded7756"
}
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dc-repro/MAL-2026-10102.json"