rony-testing @99.9.9
Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC
OSV ID
MAL-2026-6968
Ecosystem
npm
Summary
The package's postinstall hook auto-executes index.js on npm install. The script collects the installer's OS username (os.userInfo().username), hostname (os.hostname()), and current working directory, serializes them as JSON, and POSTs the payload to a hardcoded webhook.site endpoint (https://webhook.site/7088d897-5b86-4deb-8d29-5b7a263a49b4). Request errors are silently swallowed to avoid alerting the installer. There is no documented purpose, no consent prompt, and no configuration option — the beacon fires unconditionally on install and transmits installer identity to an attacker-controlled collector.
Source: amazon-inspector (be1a5728b472335e46d1df74becaf6355424f1f32d068bb517c079d88cacc03c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.