{"id":"MAL-2026-7001","summary":"Malicious code in rony-test (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (873cd33646b64f2073cc37ed9649a3757fb8aa186d50f700cb8ad199196fd56c)\nThe package's main entry (index.js) collects installer identity data — os.userInfo().username, process.env.INIT_CWD || process.cwd(), and os.hostname() — and POSTs the JSON body to a hardcoded webhook.site endpoint (https://webhook.site/7088d897-5b86-4deb-8d29-5b7a263a49b4) at module load time via require('https'). Any consumer that requires or imports this package leaks host and user identifiers to an author-controlled third-party sink with no consent and no documented purpose (package description is 'Researching'). A postinstall entry ('node indes.js') references a non-existent file and would fail with MODULE_NOT_FOUND, so the install-time trigger is broken, but the load-time exfiltration via the main module is functional.\n","modified":"2026-07-08T17:16:51.744622755Z","published":"2026-07-08T16:24:55Z","database_specific":{"malicious-packages-origins":[{"versions":["99.9.9"],"modified_time":"2026-07-08T16:24:55Z","source":"amazon-inspector","sha256":"873cd33646b64f2073cc37ed9649a3757fb8aa186d50f700cb8ad199196fd56c","id":"IN-MAL-2026-008100","import_time":"2026-07-08T17:01:30.457816159Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/rony-test/v/99.9.9"}],"affected":[{"package":{"name":"rony-test","ecosystem":"npm","purl":"pkg:npm/rony-test"},"versions":["99.9.9"],"database_specific":{"indicators":{"evidence_files":[{"path":"index.js","tlsh":"9801c0f591f7b1640ea921e1984aec1a6322e401700a9dd4baa8c3a4afc19f425b1adc","sha256":"6faf0e080e64fff0079c1f8e87c30c452acf3cc71fc5fbf131da4b05c7ba18e7"},{"path":"package.json","tlsh":"5cd0a7285c31962378d41aa90da5a80aaa619e1f0208781e1ba7105c92eed3748be30f","sha256":"ef2cbc37c6de54b3324fec77959b63d71335e03d5a35727d9d576d0b63520b31"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-9jYRUGOit1ADPNA/scHuh4g/bnACzg/Ri5YPzNh+t4A8wj1XBcS/xvJtE+drEJE8NfPAy+Mjkk5oXLk/4z+9uw==","sha1":"a2e64ec80e6598c31b4c82b77b6b5bc2e6d6e902"},"filename":"rony-test-99.9.9.tgz"}]},"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rony-test/MAL-2026-7001.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}