MAL-2026-6586

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/yastatic-s3/MAL-2026-6586.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6586
Published
2026-06-29T05:25:30Z
Modified
2026-07-08T20:47:14.266313339Z
Summary
Malicious code in yastatic-s3 (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f6abc47a32b453ee0a12ea33e7512ccdea60ed1868839e952cbeedaccd002a06)

Package name mimics Yandex's yastatic static-asset namespace. On install, postinstall.js performs an unconditional plain-HTTP GET to a hardcoded bare-IP endpoint http://130.49.177.51:18080/p/dc-20260627-yandex-geobase with query parameters carrying only the package name, version, and a fixed nonce. No environment variables, filesystem contents, credentials, or host identifiers are read or transmitted, and no code is fetched or executed from the remote endpoint. The behavior is a namespace-squatting placeholder with an install-time execution beacon: it confirms to the operator of the bare-IP endpoint that a target environment misresolved the public name into a private dependency tree. Installing this package does not exfiltrate installer data or execute attacker-controlled code, but it does reveal internal install activity to a third-party endpoint and occupies a namespace that resembles a well-known vendor's.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-29T05:25:30Z",
            "versions": [
                "0.1.0"
            ],
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "sha256": "6b9f052f01ba026de50b8dd1c26ccb2fe661367414f9139676f94eccaa3b8c50",
            "import_time": "2026-06-29T07:09:09.289377415Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-007741"
        },
        {
            "modified_time": "2026-07-08T19:35:26Z",
            "versions": [
                "0.1.99"
            ],
            "sha256": "4ddbcc63dbf0c8589eb16f0bfbd355d36ded28afce717b17af7dc1ad002d43da",
            "import_time": "2026-07-08T20:32:09.543433053Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-008287"
        },
        {
            "modified_time": "2026-07-08T19:34:52Z",
            "versions": [
                "0.1.10"
            ],
            "sha256": "f6abc47a32b453ee0a12ea33e7512ccdea60ed1868839e952cbeedaccd002a06",
            "import_time": "2026-07-08T20:32:08.91810719Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-008283"
        }
    ]
}
References
Credits

Affected packages

npm / yastatic-s3

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.1.0
0.1.10
0.1.99

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "60f05cb856f580782ded41c9f3d1b85f95cee241f1557480ed9217d123d369326b26b0",
            "sha256": "4511fad6b3a02db6a7d6ceffff5f43aff822a423a273336b0dfb0aa02c28bade",
            "path": "postinstall.js"
        },
        {
            "tlsh": "39e07d1818229a3328c04ac7147b551695609c170114390c13d70428d3ce363c6be20f",
            "sha256": "f090917e53a95261431bffefb73032a7807d83cdf10d56f69de3c65b497f72fe",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha1": "fa50a3e51959504d074d9c9fe2d8765c4a991063",
                "sha512_sri": "sha512-bs4nLCIEh3YUYz3GjhqIZc8Bt4qDiWx6c1XCKnikZpSKmyJ2/1jf0rpc8u7N5Hf44CnOjPuHYoV18usqO4bRDQ=="
            },
            "filename": "yastatic-s3-0.1.0.tgz"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/yastatic-s3/MAL-2026-6586.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]