npm

rony-testing @99.9.9

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC

Malicious

OSV ID

MAL-2026-6968

Ecosystem

npm

Summary

The package's postinstall hook auto-executes index.js on npm install. The script collects the installer's OS username (os.userInfo().username), hostname (os.hostname()), and current working directory, serializes them as JSON, and POSTs the payload to a hardcoded webhook.site endpoint (https://webhook.site/7088d897-5b86-4deb-8d29-5b7a263a49b4). Request errors are silently swallowed to avoid alerting the installer. There is no documented purpose, no consent prompt, and no configuration option — the beacon fires unconditionally on install and transmits installer identity to an attacker-controlled collector.

Source: amazon-inspector (be1a5728b472335e46d1df74becaf6355424f1f32d068bb517c079d88cacc03c)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.