OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6574 confirms this npm version as malicious. yandex-geobase@3.9.0 squats the internal-sounding name 'yandex-geobase' and ships a postinstall script that performs an HTTP GET to a hardcoded bare-IP endpoint (http://130.49.177.51:18080/p/dc-20260627-yandex-geobase) on every install. The beacon transmits the package name, version, and a campaign identifier, confirming successful code execution inside the installer's build environment to a third-party host...
Advisory
MAL-2026-6574
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in yandex-geobase (npm)
Details
yandex-geobase@3.9.0 squats the internal-sounding name 'yandex-geobase' and ships a postinstall script that performs an HTTP GET to a hardcoded bare-IP endpoint (http://130.49.177.51:18080/p/dc-20260627-yandex-geobase) on every install. The beacon transmits the package name, version, and a campaign identifier, confirming successful code execution inside the installer's build environment to a third-party host. The package self-describes as a 'Dependency confusion security test placeholder', but a self-label of 'PoC' does not change the installer-facing behavior: any build pipeline that resolves this public name in place of an internal Yandex package will silently signal an external bare-IP host that attacker-controlled code ran inside the installer's environment. The destination is a bare IP on a non-standard port (not a registry, vendor domain, or telemetry endpoint), which is consistent with dependency-confusion canary infrastructure rather than legitimate package behavior.
Decision reason
OpenSSF Malicious Packages via OSV confirms yandex-geobase@2.2.0 as malicious (MAL-2026-6574): Malicious code in yandex-geobase (npm)
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory