npm · Malicious package advisory
Malwareyastatic-s3
MAL-2026-6586
Malicious code in yastatic-s3 (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (f6abc47a32b453ee0a12ea33e7512ccdea60ed1868839e952cbeedaccd002a06) Package name mimics Yandex's `yastatic` static-asset namespace. On install, postinstall.js performs an unconditional plain-HTTP GET to a hardcoded bare-IP endpoint http://130.49.177.51:18080/p/dc-20260627-yandex-geobase with query parameters carrying only the package name, version, and a fixed nonce. No environment variables, filesystem contents, credentials, or host identifiers are read or transmitted, and no code is fetched or executed from the remote endpoint. The behavior is a namespace-squatting placeholder with an install-time execution beacon: it confirms to the operator of the bare-IP endpoint that a target environment misresolved the public name into a private dependency tree. Installing this package does not exfiltrate installer data or execute attacker-controlled code, but it does reveal internal install activity to a third-party endpoint and occupies a namespace that resembles a well-known vendor's.
Compromised versions (3)
- 0.1.0
- 0.1.99
- 0.1.10
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.