npm

na-rony @1.1.2

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 10:24 PM UTC

Malicious

OSV ID

MAL-2026-6964

Ecosystem

npm

Summary

index.js executes at module load and POSTs os.hostname(), process.platform, process.cwd(), and the entire process.env to a hardcoded webhook.site collector (https://webhook.site/20a7921e-7280-4e44-9235-4a3e82631430). Any project that requires or imports na-rony leaks its full environment — routinely including AWS_*, GITHUB_TOKEN, NPM_TOKEN, database passwords, and CI secrets — to a third-party endpoint controlled by the package author. Bulk enumeration of process.env combined with host identifiers sent to an unrelated collection endpoint on import is the canonical credential-harvest pattern.

Source: amazon-inspector (cdb95cfc7b5a54f15cad828d907d0fb1b348330a42040e24eba98eb6af556fc7)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.