VYPR

npm · Malicious package advisory

Malware

yandex-geobase

MAL-2026-6574

Malicious code in yandex-geobase (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1f6219d513896736aee31ce33719d6ae2d1f5b03293ecdfe884d944bbb3eb99a)
yandex-geobase@3.9.0 squats the internal-sounding name 'yandex-geobase' and ships a postinstall script that performs an HTTP GET to a hardcoded bare-IP endpoint (http://130.49.177.51:18080/p/dc-20260627-yandex-geobase) on every install. The beacon transmits the package name, version, and a campaign identifier, confirming successful code execution inside the installer's build environment to a third-party host. The package self-describes as a 'Dependency confusion security test placeholder', but a self-label of 'PoC' does not change the installer-facing behavior: any build pipeline that resolves this public name in place of an internal Yandex package will silently signal an external bare-IP host that attacker-controlled code ran inside the installer's environment. The destination is a bare IP on a non-standard port (not a registry, vendor domain, or telemetry endpoint), which is consistent with dependency-confusion canary infrastructure rather than legitimate package behavior.

Compromised versions (6)

  • 2.9.0
  • 2.1.2
  • 3.9.0
  • 2.1.0
  • 2.2.0
  • 2.1.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.