-= Per source details. Do not edit below this line.=-
Package name mimics Yandex's yastatic static-asset namespace. On install, postinstall.js performs an unconditional plain-HTTP GET to a hardcoded bare-IP endpoint http://130.49.177.51:18080/p/dc-20260627-yandex-geobase with query parameters carrying only the package name, version, and a fixed nonce. No environment variables, filesystem contents, credentials, or host identifiers are read or transmitted, and no code is fetched or executed from the remote endpoint. The behavior is a namespace-squatting placeholder with an install-time execution beacon: it confirms to the operator of the bare-IP endpoint that a target environment misresolved the public name into a private dependency tree. Installing this package does not exfiltrate installer data or execute attacker-controlled code, but it does reveal internal install activity to a third-party endpoint and occupies a namespace that resembles a well-known vendor's.
{
"malicious-packages-origins": [
{
"modified_time": "2026-06-29T05:25:30Z",
"versions": [
"0.1.0"
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"sha256": "6b9f052f01ba026de50b8dd1c26ccb2fe661367414f9139676f94eccaa3b8c50",
"import_time": "2026-06-29T07:09:09.289377415Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-007741"
},
{
"modified_time": "2026-07-08T19:35:26Z",
"versions": [
"0.1.99"
],
"sha256": "4ddbcc63dbf0c8589eb16f0bfbd355d36ded28afce717b17af7dc1ad002d43da",
"import_time": "2026-07-08T20:32:09.543433053Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-008287"
},
{
"modified_time": "2026-07-08T19:34:52Z",
"versions": [
"0.1.10"
],
"sha256": "f6abc47a32b453ee0a12ea33e7512ccdea60ed1868839e952cbeedaccd002a06",
"import_time": "2026-07-08T20:32:08.91810719Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-008283"
}
]
}{
"evidence_files": [
{
"tlsh": "60f05cb856f580782ded41c9f3d1b85f95cee241f1557480ed9217d123d369326b26b0",
"sha256": "4511fad6b3a02db6a7d6ceffff5f43aff822a423a273336b0dfb0aa02c28bade",
"path": "postinstall.js"
},
{
"tlsh": "39e07d1818229a3328c04ac7147b551695609c170114390c13d70428d3ce363c6be20f",
"sha256": "f090917e53a95261431bffefb73032a7807d83cdf10d56f69de3c65b497f72fe",
"path": "package.json"
}
],
"package_integrity": [
{
"hashes": {
"sha1": "fa50a3e51959504d074d9c9fe2d8765c4a991063",
"sha512_sri": "sha512-bs4nLCIEh3YUYz3GjhqIZc8Bt4qDiWx6c1XCKnikZpSKmyJ2/1jf0rpc8u7N5Hf44CnOjPuHYoV18usqO4bRDQ=="
},
"filename": "yastatic-s3-0.1.0.tgz"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/yastatic-s3/MAL-2026-6586.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]