MAL-2026-6574

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/yandex-geobase/MAL-2026-6574.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6574
Published
2026-06-29T04:17:52Z
Modified
2026-07-08T23:01:56.596066118Z
Summary
Malicious code in yandex-geobase (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (1f6219d513896736aee31ce33719d6ae2d1f5b03293ecdfe884d944bbb3eb99a)

yandex-geobase@3.9.0 squats the internal-sounding name 'yandex-geobase' and ships a postinstall script that performs an HTTP GET to a hardcoded bare-IP endpoint (http://130.49.177.51:18080/p/dc-20260627-yandex-geobase) on every install. The beacon transmits the package name, version, and a campaign identifier, confirming successful code execution inside the installer's build environment to a third-party host. The package self-describes as a 'Dependency confusion security test placeholder', but a self-label of 'PoC' does not change the installer-facing behavior: any build pipeline that resolves this public name in place of an internal Yandex package will silently signal an external bare-IP host that attacker-controlled code ran inside the installer's environment. The destination is a bare IP on a non-standard port (not a registry, vendor domain, or telemetry endpoint), which is consistent with dependency-confusion canary infrastructure rather than legitimate package behavior.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-29T04:18:25Z",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "SEMVER"
                }
            ],
            "id": "IN-MAL-2026-007720",
            "source": "amazon-inspector",
            "import_time": "2026-06-29T05:07:06.783736481Z",
            "sha256": "1afe70f3f7794a4ef230823c92bc635e3fd70c82342bd41c1df1bbcd6105a8ea",
            "versions": [
                "2.9.0"
            ]
        },
        {
            "modified_time": "2026-06-29T04:17:52Z",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "id": "IN-MAL-2026-007716",
            "source": "amazon-inspector",
            "import_time": "2026-06-29T05:07:06.188445637Z",
            "sha256": "cc198965d3b086a519c0027b94c392f00c6ab0246feb11694af1c43b12236a70",
            "versions": [
                "2.1.2"
            ]
        },
        {
            "modified_time": "2026-06-29T04:18:00Z",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "id": "IN-MAL-2026-007717",
            "source": "amazon-inspector",
            "import_time": "2026-06-29T05:07:06.295402289Z",
            "sha256": "1f6219d513896736aee31ce33719d6ae2d1f5b03293ecdfe884d944bbb3eb99a",
            "versions": [
                "3.9.0"
            ]
        },
        {
            "sha256": "69bb1d25ef0863fb16ce33e0536266243a6e007fa71d36303205fb0f8d71c110",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "id": "IN-MAL-2026-007719",
            "source": "amazon-inspector",
            "import_time": "2026-06-29T05:07:06.645863701Z",
            "modified_time": "2026-06-29T04:18:18Z",
            "versions": [
                "2.1.0"
            ]
        },
        {
            "modified_time": "2026-06-29T04:18:07Z",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "id": "IN-MAL-2026-007718",
            "source": "amazon-inspector",
            "import_time": "2026-06-29T05:07:06.465324577Z",
            "sha256": "a16ea7792b5f438d3338f62a9d3d801c7e30892f1da7c75e0f9fd4e93af4c047",
            "versions": [
                "2.2.0"
            ]
        },
        {
            "sha256": "ff9900918ba51446fba8f3ea7e861879123d55c7e86f5d82c886a57c8f0572ec",
            "id": "IN-MAL-2026-008882",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T22:51:31.376711603Z",
            "modified_time": "2026-07-08T22:47:04Z",
            "versions": [
                "2.1.1"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / yandex-geobase

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.1.0
2.1.1
2.1.2
2.2.0
2.9.0
3.*
3.9.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "yandex-geobase-2.9.0.tgz",
            "hashes": {
                "sha1": "3df4f6f89f7e50a6c2f296fb5c5b19d00085f46e",
                "sha512_sri": "sha512-/WGapuOJYcIFNxLMDF6HRQSSEQAkCGINp4Jm4Fmn+yQFaZ4jg2LqqUMi9+hq0M5Azrgnm46z/95Cj4BKfRuCuw=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "postinstall.js",
            "tlsh": "4ce0237849f040251dea8484f393685b95cbd142f065f580fd8e12901fd395366631f0",
            "sha256": "abd78197cda15359797c65c76ea96b3bd7f20b047e18a9cd68d978ea9fa38353"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/yandex-geobase/MAL-2026-6574.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]