-= Per source details. Do not edit below this line.=-
yandex-geobase@3.9.0 squats the internal-sounding name 'yandex-geobase' and ships a postinstall script that performs an HTTP GET to a hardcoded bare-IP endpoint (http://130.49.177.51:18080/p/dc-20260627-yandex-geobase) on every install. The beacon transmits the package name, version, and a campaign identifier, confirming successful code execution inside the installer's build environment to a third-party host. The package self-describes as a 'Dependency confusion security test placeholder', but a self-label of 'PoC' does not change the installer-facing behavior: any build pipeline that resolves this public name in place of an internal Yandex package will silently signal an external bare-IP host that attacker-controlled code ran inside the installer's environment. The destination is a bare IP on a non-standard port (not a registry, vendor domain, or telemetry endpoint), which is consistent with dependency-confusion canary infrastructure rather than legitimate package behavior.
{
"malicious-packages-origins": [
{
"modified_time": "2026-06-29T04:18:25Z",
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "SEMVER"
}
],
"id": "IN-MAL-2026-007720",
"source": "amazon-inspector",
"import_time": "2026-06-29T05:07:06.783736481Z",
"sha256": "1afe70f3f7794a4ef230823c92bc635e3fd70c82342bd41c1df1bbcd6105a8ea",
"versions": [
"2.9.0"
]
},
{
"modified_time": "2026-06-29T04:17:52Z",
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"id": "IN-MAL-2026-007716",
"source": "amazon-inspector",
"import_time": "2026-06-29T05:07:06.188445637Z",
"sha256": "cc198965d3b086a519c0027b94c392f00c6ab0246feb11694af1c43b12236a70",
"versions": [
"2.1.2"
]
},
{
"modified_time": "2026-06-29T04:18:00Z",
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"id": "IN-MAL-2026-007717",
"source": "amazon-inspector",
"import_time": "2026-06-29T05:07:06.295402289Z",
"sha256": "1f6219d513896736aee31ce33719d6ae2d1f5b03293ecdfe884d944bbb3eb99a",
"versions": [
"3.9.0"
]
},
{
"sha256": "69bb1d25ef0863fb16ce33e0536266243a6e007fa71d36303205fb0f8d71c110",
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"id": "IN-MAL-2026-007719",
"source": "amazon-inspector",
"import_time": "2026-06-29T05:07:06.645863701Z",
"modified_time": "2026-06-29T04:18:18Z",
"versions": [
"2.1.0"
]
},
{
"modified_time": "2026-06-29T04:18:07Z",
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"id": "IN-MAL-2026-007718",
"source": "amazon-inspector",
"import_time": "2026-06-29T05:07:06.465324577Z",
"sha256": "a16ea7792b5f438d3338f62a9d3d801c7e30892f1da7c75e0f9fd4e93af4c047",
"versions": [
"2.2.0"
]
},
{
"sha256": "ff9900918ba51446fba8f3ea7e861879123d55c7e86f5d82c886a57c8f0572ec",
"id": "IN-MAL-2026-008882",
"source": "amazon-inspector",
"import_time": "2026-07-08T22:51:31.376711603Z",
"modified_time": "2026-07-08T22:47:04Z",
"versions": [
"2.1.1"
]
}
]
}{
"package_integrity": [
{
"filename": "yandex-geobase-2.9.0.tgz",
"hashes": {
"sha1": "3df4f6f89f7e50a6c2f296fb5c5b19d00085f46e",
"sha512_sri": "sha512-/WGapuOJYcIFNxLMDF6HRQSSEQAkCGINp4Jm4Fmn+yQFaZ4jg2LqqUMi9+hq0M5Azrgnm46z/95Cj4BKfRuCuw=="
}
}
],
"evidence_files": [
{
"path": "postinstall.js",
"tlsh": "4ce0237849f040251dea8484f393685b95cbd142f065f580fd8e12901fd395366631f0",
"sha256": "abd78197cda15359797c65c76ea96b3bd7f20b047e18a9cd68d978ea9fa38353"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/yandex-geobase/MAL-2026-6574.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]