MAL-2026-6574
Malicious code in yandex-geobase (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (1f6219d513896736aee31ce33719d6ae2d1f5b03293ecdfe884d944bbb3eb99a) yandex-geobase@3.9.0 squats the internal-sounding name 'yandex-geobase' and ships a postinstall script that performs an HTTP GET to a hardcoded bare-IP endpoint (http://130.49.177.51:18080/p/dc-20260627-yandex-geobase) on every install. The beacon transmits the package name, version, and a campaign identifier, confirming successful code execution inside the installer's build environment to a third-party host. The package self-describes as a 'Dependency confusion security test placeholder', but a self-label of 'PoC' does not change the installer-facing behavior: any build pipeline that resolves this public name in place of an internal Yandex package will silently signal an external bare-IP host that attacker-controlled code ran inside the installer's environment. The destination is a bare IP on a non-standard port (not a registry, vendor domain, or telemetry endpoint), which is consistent with dependency-confusion canary infrastructure rather than legitimate package behavior.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 No fixed version published yet for yandex-geobase (npm). Pin to a known-safe version or switch to an alternative.
References
- https://www.npmjs.com/package/yandex-geobase/v/2.9.0 [PACKAGE]
- https://www.npmjs.com/package/yandex-geobase/v/2.1.2 [PACKAGE]
- https://www.npmjs.com/package/yandex-geobase/v/3.9.0 [PACKAGE]
- https://www.npmjs.com/package/yandex-geobase/v/2.1.0 [PACKAGE]
- https://www.npmjs.com/package/yandex-geobase/v/2.2.0 [PACKAGE]