npm

na-rony @1.1.5

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC

Malicious

OSV ID

MAL-2026-6964

Ecosystem

npm

Summary

package.json declares postinstall: node index.js , causing index.js to execute automatically on npm install . The script collects the installer's OS username (os.userInfo().username), current working directory (process.cwd()), hostname (os.hostname()), and non-internal IPv4 address (derived from os.networkInterfaces()), then POSTs them as a JSON body to a hardcoded webhook.site endpoint controlled by the author. The package has no legitimate library functionality — its only file is the beacon, its description is empty, and it declares a self-referential dependency on itself. Installing this package leaks installer host identifiers to an attacker-controlled collector.

Source: amazon-inspector (193f3dbfb6073e7b6c5dacb0e79157ccac9c69ac4c23d2c8270cc23d27cab699)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.