{"id":"MAL-2026-6586","summary":"Malicious code in yastatic-s3 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (f6abc47a32b453ee0a12ea33e7512ccdea60ed1868839e952cbeedaccd002a06)\nPackage name mimics Yandex's `yastatic` static-asset namespace. On install, postinstall.js performs an unconditional plain-HTTP GET to a hardcoded bare-IP endpoint http://130.49.177.51:18080/p/dc-20260627-yandex-geobase with query parameters carrying only the package name, version, and a fixed nonce. No environment variables, filesystem contents, credentials, or host identifiers are read or transmitted, and no code is fetched or executed from the remote endpoint. The behavior is a namespace-squatting placeholder with an install-time execution beacon: it confirms to the operator of the bare-IP endpoint that a target environment misresolved the public name into a private dependency tree. Installing this package does not exfiltrate installer data or execute attacker-controlled code, but it does reveal internal install activity to a third-party endpoint and occupies a namespace that resembles a well-known vendor's.\n","modified":"2026-07-08T20:47:14.266313339Z","published":"2026-06-29T05:25:30Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-007741","modified_time":"2026-06-29T05:25:30Z","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}],"versions":["0.1.0"],"source":"amazon-inspector","sha256":"6b9f052f01ba026de50b8dd1c26ccb2fe661367414f9139676f94eccaa3b8c50","import_time":"2026-06-29T07:09:09.289377415Z"},{"id":"IN-MAL-2026-008287","modified_time":"2026-07-08T19:35:26Z","versions":["0.1.99"],"source":"amazon-inspector","sha256":"4ddbcc63dbf0c8589eb16f0bfbd355d36ded28afce717b17af7dc1ad002d43da","import_time":"2026-07-08T20:32:09.543433053Z"},{"id":"IN-MAL-2026-008283","modified_time":"2026-07-08T19:34:52Z","versions":["0.1.10"],"source":"amazon-inspector","sha256":"f6abc47a32b453ee0a12ea33e7512ccdea60ed1868839e952cbeedaccd002a06","import_time":"2026-07-08T20:32:08.91810719Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/yastatic-s3/v/0.1.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/yastatic-s3/v/0.1.99"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/yastatic-s3/v/0.1.10"}],"affected":[{"package":{"name":"yastatic-s3","ecosystem":"npm","purl":"pkg:npm/yastatic-s3"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["0.1.0","0.1.99","0.1.10"],"database_specific":{"indicators":{"evidence_files":[{"path":"postinstall.js","sha256":"4511fad6b3a02db6a7d6ceffff5f43aff822a423a273336b0dfb0aa02c28bade","tlsh":"60f05cb856f580782ded41c9f3d1b85f95cee241f1557480ed9217d123d369326b26b0"},{"path":"package.json","sha256":"f090917e53a95261431bffefb73032a7807d83cdf10d56f69de3c65b497f72fe","tlsh":"39e07d1818229a3328c04ac7147b551695609c170114390c13d70428d3ce363c6be20f"}],"package_integrity":[{"filename":"yastatic-s3-0.1.0.tgz","hashes":{"sha1":"fa50a3e51959504d074d9c9fe2d8765c4a991063","sha512_sri":"sha512-bs4nLCIEh3YUYz3GjhqIZc8Bt4qDiWx6c1XCKnikZpSKmyJ2/1jf0rpc8u7N5Hf44CnOjPuHYoV18usqO4bRDQ=="}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/yastatic-s3/MAL-2026-6586.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}