Supply-chain threat intelligence
Risk score
92
Indexed incident for dc-repro (npm).
On npm install, postinstall.js issues an HTTP GET to a hardcoded bare-IP endpoint at http://130.49.177.51:18080/p/dc-20260627-yandex-geobase carrying the package name, version, and a campaign tag (bb-yandex-geobase-20260627). The beacon fires automatically as a lifecycle script with no user opt-in, confirming code execution inside the installer's environment and exposing the installer's source IP / network position to an attacker-controlled host over plain HTTP. The package additionally declares a dependency on yandex-geobase and labels its callback with that package name, consistent with a dependency-confusion probe targeting the yandex-geobase namespace. Installer impact: any machine that resolves and installs dc-repro silently emits a network callback to the hardcoded IP at install time.
Affected versions
Indicators
Timeline