{"id":"MAL-2026-7002","summary":"Malicious code in ronyfortest (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8c9f63368f7e1147ade261a87f45e32e13bcf79b5336efad59087ce85e64a849)\nThe package's postinstall hook (`node index.js`) runs automatically on `npm install` and collects the installer's OS username (`os.userInfo().username`), hostname (`os.hostname()`), and working directory (`process.env.INIT_CWD || process.cwd()`), then POSTs them as JSON to a hardcoded webhook.site inspector URL (https://webhook.site/49781ccd-e409-4a90-8a42-34ed52b9e7b1). package.json ships empty author/description/keywords metadata and declares no legitimate purpose. The behavior is an unconditional install-time beacon that leaks installer host/user identifiers to an author-controlled inspection endpoint.\n","modified":"2026-07-08T17:16:51.942060577Z","published":"2026-07-08T16:25:19Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-07-08T17:01:30.711731601Z","source":"amazon-inspector","versions":["99.9.9"],"sha256":"8c9f63368f7e1147ade261a87f45e32e13bcf79b5336efad59087ce85e64a849","modified_time":"2026-07-08T16:25:19Z","id":"IN-MAL-2026-008103"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ronyfortest/v/99.9.9"}],"affected":[{"package":{"name":"ronyfortest","ecosystem":"npm","purl":"pkg:npm/ronyfortest"},"versions":["99.9.9"],"database_specific":{"indicators":{"evidence_files":[{"path":"index.js","sha256":"7a9f3ba37de5f2ab9599647633db954f50f3a429ab6afbcedbfbb5857bfa668b","tlsh":"ef01c0f581f7b6601eb972e19849ec19a266e001b00e99d0776883a4afc59f416b1adc"},{"sha256":"4cf299522a2d798abc17f33c485a442ed34007628e2a0974d4dc9eec8025dfa5","path":"package.json","tlsh":"05d0a7745c21962328d416950967680ab6a1cd1b0108780d5797141892de93344fd20e"}],"package_integrity":[{"filename":"ronyfortest-99.9.9.tgz","hashes":{"sha512_sri":"sha512-jz8aj2kpm0nJT5z7QVbn2Jwv89zoHOD8csvLbVF7Pi/3rLVaT07uL6FThONCtnVe8z4a5peV8MwN2B5vgkEJaQ==","sha1":"cd0a805f19c53b3d7c7808d10135a9e96bc98c80"}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ronyfortest/MAL-2026-7002.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}