npm

ronyfortest @99.9.9

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 8:23 PM UTC

Malicious

OSV ID

MAL-2026-7002

Ecosystem

npm

Summary

The package's postinstall hook ( node index.js ) runs automatically on npm install and collects the installer's OS username ( os.userInfo().username ), hostname ( os.hostname() ), and working directory ( process.env.INIT_CWD || process.cwd() ), then POSTs them as JSON to a hardcoded webhook.site inspector URL (https://webhook.site/49781ccd-e409-4a90-8a42-34ed52b9e7b1). package.json ships empty author/description/keywords metadata and declares no legitimate purpose. The behavior is an unconditional install-time beacon that leaks installer host/user identifiers to an author-controlled inspection endpoint.

Source: amazon-inspector (8c9f63368f7e1147ade261a87f45e32e13bcf79b5336efad59087ce85e64a849)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.