MAL-2026-6574: Malicious code in yandex-geobase (npm)
The yandex-geobase npm package versions 2.1.0, 2.1.2, 2.2.0, 2.9.0, and 3.9.0 contain a postinstall script that performs an HTTP GET request to a hardcoded external IP address on a non-standard port during installation. This behavior signals to a third-party host that the package was installed and executed in the build environment, effectively leaking build environment information. The package is described as a 'Dependency confusion security test placeholder' but its behavior can expose internal build environments to external observation.
AI Analysis
Technical Summary
The yandex-geobase npm package in specified versions includes a postinstall script that contacts an external bare IP address (http://130.49.177.51:18080/p/dc-20260627-yandex-geobase) on every install. This request transmits the package name, version, and a campaign identifier, confirming code execution inside the installer's environment to an external third party. Although the package self-identifies as a proof-of-concept for dependency confusion testing, the external beaconing behavior can leak sensitive build environment information to an untrusted host. This behavior is consistent with dependency confusion canary infrastructure rather than legitimate package functionality.
Potential Impact
The impact is information leakage from the build environment to an external third party. This could allow an attacker to confirm that their malicious package was installed and executed within a target's build pipeline. There is no evidence of direct code execution beyond the postinstall beaconing, and no known exploits in the wild have been reported. However, the exposure of build environment details may facilitate further targeted attacks.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should avoid installing the affected versions of yandex-geobase from public npm registries, especially in internal build environments expecting a legitimate internal package. Consider using scoped or private registries to prevent dependency confusion attacks. Monitor for updates or advisories from the package maintainers or npm registry regarding remediation. Patch status is not yet confirmed — check the vendor advisory or npm security advisories for current remediation guidance.
MAL-2026-6574: Malicious code in yandex-geobase (npm)
Description
The yandex-geobase npm package versions 2.1.0, 2.1.2, 2.2.0, 2.9.0, and 3.9.0 contain a postinstall script that performs an HTTP GET request to a hardcoded external IP address on a non-standard port during installation. This behavior signals to a third-party host that the package was installed and executed in the build environment, effectively leaking build environment information. The package is described as a 'Dependency confusion security test placeholder' but its behavior can expose internal build environments to external observation.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The yandex-geobase npm package in specified versions includes a postinstall script that contacts an external bare IP address (http://130.49.177.51:18080/p/dc-20260627-yandex-geobase) on every install. This request transmits the package name, version, and a campaign identifier, confirming code execution inside the installer's environment to an external third party. Although the package self-identifies as a proof-of-concept for dependency confusion testing, the external beaconing behavior can leak sensitive build environment information to an untrusted host. This behavior is consistent with dependency confusion canary infrastructure rather than legitimate package functionality.
Potential Impact
The impact is information leakage from the build environment to an external third party. This could allow an attacker to confirm that their malicious package was installed and executed within a target's build pipeline. There is no evidence of direct code execution beyond the postinstall beaconing, and no known exploits in the wild have been reported. However, the exposure of build environment details may facilitate further targeted attacks.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should avoid installing the affected versions of yandex-geobase from public npm registries, especially in internal build environments expecting a legitimate internal package. Consider using scoped or private registries to prevent dependency confusion attacks. Monitor for updates or advisories from the package maintainers or npm registry regarding remediation. Patch status is not yet confirmed — check the vendor advisory or npm security advisories for current remediation guidance.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6574
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a42ed7627e9c7971993958e
Added to database: 06/29/2026, 22:11:02 UTC
Last enriched: 06/29/2026, 22:41:02 UTC
Last updated: 06/30/2026, 00:53:48 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.