npm

rony-test @99.9.9

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC

Malicious

OSV ID

MAL-2026-7001

Ecosystem

npm

Summary

The package's main entry (index.js) collects installer identity data — os.userInfo().username, process.env.INIT_CWD || process.cwd(), and os.hostname() — and POSTs the JSON body to a hardcoded webhook.site endpoint (https://webhook.site/7088d897-5b86-4deb-8d29-5b7a263a49b4) at module load time via require('https'). Any consumer that requires or imports this package leaks host and user identifiers to an author-controlled third-party sink with no consent and no documented purpose (package description is 'Researching'). A postinstall entry ('node indes.js') references a non-existent file and would fail with MODULE_NOT_FOUND, so the install-time trigger is broken, but the load-time exfiltration via the main module is functional.

Source: amazon-inspector (873cd33646b64f2073cc37ed9649a3757fb8aa186d50f700cb8ad199196fd56c)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.