OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10500 confirms this npm version as malicious. express-bunker@6.1.0 ships a postinstall script that performs an HTTP GET to a hardcoded bare IP over plain HTTP (http://130.49.177.51:18080/p/dc-20260627-yandex-geobase) at npm install time, transmitting the package name, version, and a fixed campaign nonce (bb-express-bunker-20260628). The beacon fires unconditionally on every install with no opt-out...
Advisory
MAL-2026-10500
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in express-bunker (npm)
Details
express-bunker@6.1.0 ships a postinstall script that performs an HTTP GET to a hardcoded bare IP over plain HTTP (http://130.49.177.51:18080/p/dc-20260627-yandex-geobase) at npm install time, transmitting the package name, version, and a fixed campaign nonce (bb-express-bunker-20260628). The beacon fires unconditionally on every install with no opt-out. The package name and beacon path indicate a dependency-confusion squat against an internal namespace (yandex-geobase): any host or CI system that mis-resolves an internal dependency name to this public artifact silently signals successful name shadowing to the operator-controlled endpoint, disclosing installer environment information and confirming exploitability for follow-on attacks. A README self-label as a 'benign PoC' does not change the installer-side effect — the public artifact performs install-time outbound network I/O the installer did not opt into, and the same install vector could ship arbitrary code in a later version.
Decision reason
OpenSSF Malicious Packages via OSV confirms express-bunker@6.1.0 as malicious (MAL-2026-10500): Malicious code in express-bunker (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory