VYPR

npm · Malicious package advisory

Malware

yastatic-s3

MAL-2026-6586

Malicious code in yastatic-s3 (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f6abc47a32b453ee0a12ea33e7512ccdea60ed1868839e952cbeedaccd002a06)
Package name mimics Yandex's `yastatic` static-asset namespace. On install, postinstall.js performs an unconditional plain-HTTP GET to a hardcoded bare-IP endpoint http://130.49.177.51:18080/p/dc-20260627-yandex-geobase with query parameters carrying only the package name, version, and a fixed nonce. No environment variables, filesystem contents, credentials, or host identifiers are read or transmitted, and no code is fetched or executed from the remote endpoint. The behavior is a namespace-squatting placeholder with an install-time execution beacon: it confirms to the operator of the bare-IP endpoint that a target environment misresolved the public name into a private dependency tree. Installing this package does not exfiltrate installer data or execute attacker-controlled code, but it does reveal internal install activity to a third-party endpoint and occupies a namespace that resembles a well-known vendor's.

Compromised versions (3)

  • 0.1.0
  • 0.1.99
  • 0.1.10

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.