{"id":"MAL-2026-10102","summary":"Malicious code in dc-repro (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (0b27530f3aa6f2f96c3aa77ffad048e51ee4479d60c81ce59687772b6985a99b)\nOn `npm install`, postinstall.js issues an HTTP GET to a hardcoded bare-IP endpoint at http://130.49.177.51:18080/p/dc-20260627-yandex-geobase carrying the package name, version, and a campaign tag (`bb-yandex-geobase-20260627`). The beacon fires automatically as a lifecycle script with no user opt-in, confirming code execution inside the installer's environment and exposing the installer's source IP / network position to an attacker-controlled host over plain HTTP. The package additionally declares a dependency on `yandex-geobase` and labels its callback with that package name, consistent with a dependency-confusion probe targeting the `yandex-geobase` namespace. Installer impact: any machine that resolves and installs `dc-repro` silently emits a network callback to the hardcoded IP at install time.\n","modified":"2026-07-09T23:47:00.595786178Z","published":"2026-07-09T23:10:31Z","database_specific":{"malicious-packages-origins":[{"versions":["2.1.2"],"sha256":"0b27530f3aa6f2f96c3aa77ffad048e51ee4479d60c81ce59687772b6985a99b","source":"amazon-inspector","import_time":"2026-07-09T23:30:56.516272151Z","id":"IN-MAL-2026-009603","modified_time":"2026-07-09T23:10:31Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/dc-repro/v/2.1.2"}],"affected":[{"package":{"name":"dc-repro","ecosystem":"npm","purl":"pkg:npm/dc-repro"},"versions":["2.1.2"],"database_specific":{"indicators":{"evidence_files":[{"sha256":"9006fd8275255b0d8a97b898ab94973d2af97194f620afe8e469923ac585e71e","path":"postinstall.js","tlsh":"97e02b7889f0803a1df88588f3936857978bd042f065e484ea8e11a01fc2997bb735e0"},{"tlsh":"0bc01228cc51afb368ca32f9847e2046a9a04003c5086c2c72de089c8f8986e686f625","path":"package.json","sha256":"786487b17660e6a82bb3dfb2944b9de3d9f8a17c5a3010cdc348061ef84f24ab"}],"package_integrity":[{"hashes":{"sha1":"2eb6ce7469a46e5ed000a95ed3f34f838ded7756","sha512_sri":"sha512-GcHKkIne7c23Ho55TcoA6DHyVyNDfunFpGj0cIHAIbJUprncvq6LAjPVd6B8lMcCM1iSPNMjMrpPvb81HpR2Yw=="},"filename":"dc-repro-2.1.2.tgz"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dc-repro/MAL-2026-10102.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}