VDB
EN

MAL-2026-10102

Malicious code in dc-repro (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (0b27530f3aa6f2f96c3aa77ffad048e51ee4479d60c81ce59687772b6985a99b) On `npm install`, postinstall.js issues an HTTP GET to a hardcoded bare-IP endpoint at http://130.49.177.51:18080/p/dc-20260627-yandex-geobase carrying the package name, version, and a campaign tag (`bb-yandex-geobase-20260627`). The beacon fires automatically as a lifecycle script with no user opt-in, confirming code execution inside the installer's environment and exposing the installer's source IP / network position to an attacker-controlled host over plain HTTP. The package additionally declares a dependency on `yandex-geobase` and labels its callback with that package name, consistent with a dependency-confusion probe targeting the `yandex-geobase` namespace. Installer impact: any machine that resolves and installs `dc-repro` silently emits a network callback to the hardcoded IP at install time.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / dc-repro

No fixed version published yet for dc-repro (npm). Pin to a known-safe version or switch to an alternative.

참고