Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in dc-repro (npm)

dc-repro

Risk score

92

AI summary

Indexed incident for dc-repro (npm).

Description

On npm install, postinstall.js issues an HTTP GET to a hardcoded bare-IP endpoint at http://130.49.177.51:18080/p/dc-20260627-yandex-geobase carrying the package name, version, and a campaign tag (bb-yandex-geobase-20260627). The beacon fires automatically as a lifecycle script with no user opt-in, confirming code execution inside the installer's environment and exposing the installer's source IP / network position to an attacker-controlled host over plain HTTP. The package additionally declares a dependency on yandex-geobase and labels its callback with that package name, consistent with a dependency-confusion probe targeting the yandex-geobase namespace. Installer impact: any machine that resolves and installs dc-repro silently emits a network callback to the hardcoded IP at install time.

Technical details

Affected versions

=2.1.2

Indicators

  • affected version=2.1.275%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents