{"id":"MAL-2026-6574","summary":"Malicious code in yandex-geobase (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (1f6219d513896736aee31ce33719d6ae2d1f5b03293ecdfe884d944bbb3eb99a)\nyandex-geobase@3.9.0 squats the internal-sounding name 'yandex-geobase' and ships a postinstall script that performs an HTTP GET to a hardcoded bare-IP endpoint (http://130.49.177.51:18080/p/dc-20260627-yandex-geobase) on every install. The beacon transmits the package name, version, and a campaign identifier, confirming successful code execution inside the installer's build environment to a third-party host. The package self-describes as a 'Dependency confusion security test placeholder', but a self-label of 'PoC' does not change the installer-facing behavior: any build pipeline that resolves this public name in place of an internal Yandex package will silently signal an external bare-IP host that attacker-controlled code ran inside the installer's environment. The destination is a bare IP on a non-standard port (not a registry, vendor domain, or telemetry endpoint), which is consistent with dependency-confusion canary infrastructure rather than legitimate package behavior.\n","modified":"2026-07-08T23:01:56.596066118Z","published":"2026-06-29T04:17:52Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-29T05:07:06.783736481Z","sha256":"1afe70f3f7794a4ef230823c92bc635e3fd70c82342bd41c1df1bbcd6105a8ea","versions":["2.9.0"],"modified_time":"2026-06-29T04:18:25Z","source":"amazon-inspector","id":"IN-MAL-2026-007720","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}]},{"import_time":"2026-06-29T05:07:06.188445637Z","sha256":"cc198965d3b086a519c0027b94c392f00c6ab0246feb11694af1c43b12236a70","versions":["2.1.2"],"modified_time":"2026-06-29T04:17:52Z","source":"amazon-inspector","id":"IN-MAL-2026-007716","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}]},{"import_time":"2026-06-29T05:07:06.295402289Z","sha256":"1f6219d513896736aee31ce33719d6ae2d1f5b03293ecdfe884d944bbb3eb99a","versions":["3.9.0"],"modified_time":"2026-06-29T04:18:00Z","source":"amazon-inspector","id":"IN-MAL-2026-007717","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}]},{"import_time":"2026-06-29T05:07:06.645863701Z","sha256":"69bb1d25ef0863fb16ce33e0536266243a6e007fa71d36303205fb0f8d71c110","versions":["2.1.0"],"source":"amazon-inspector","modified_time":"2026-06-29T04:18:18Z","id":"IN-MAL-2026-007719","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}]},{"import_time":"2026-06-29T05:07:06.465324577Z","sha256":"a16ea7792b5f438d3338f62a9d3d801c7e30892f1da7c75e0f9fd4e93af4c047","versions":["2.2.0"],"modified_time":"2026-06-29T04:18:07Z","source":"amazon-inspector","id":"IN-MAL-2026-007718","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}]},{"import_time":"2026-07-08T22:51:31.376711603Z","sha256":"ff9900918ba51446fba8f3ea7e861879123d55c7e86f5d82c886a57c8f0572ec","versions":["2.1.1"],"source":"amazon-inspector","modified_time":"2026-07-08T22:47:04Z","id":"IN-MAL-2026-008882"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/yandex-geobase/v/2.9.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/yandex-geobase/v/2.1.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/yandex-geobase/v/3.9.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/yandex-geobase/v/2.1.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/yandex-geobase/v/2.2.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/yandex-geobase/v/2.1.1"}],"affected":[{"package":{"name":"yandex-geobase","ecosystem":"npm","purl":"pkg:npm/yandex-geobase"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["2.9.0","2.1.2","3.9.0","2.1.0","2.2.0","2.1.1"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/yandex-geobase/MAL-2026-6574.json","indicators":{"package_integrity":[{"filename":"yandex-geobase-2.9.0.tgz","hashes":{"sha1":"3df4f6f89f7e50a6c2f296fb5c5b19d00085f46e","sha512_sri":"sha512-/WGapuOJYcIFNxLMDF6HRQSSEQAkCGINp4Jm4Fmn+yQFaZ4jg2LqqUMi9+hq0M5Azrgnm46z/95Cj4BKfRuCuw=="}}],"evidence_files":[{"sha256":"abd78197cda15359797c65c76ea96b3bd7f20b047e18a9cd68d978ea9fa38353","tlsh":"4ce0237849f040251dea8484f393685b95cbd142f065f580fd8e12901fd395366631f0","path":"postinstall.js"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}