{"id":"MAL-2026-7004","summary":"Malicious code in thunder-rony (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (b49da9c4d3522da30e4c917c3102444f9d61d3ab3e9c547b74b9240168754b9a)\nOn `npm install`, the package's postinstall hook executes index.js, which collects the installer's OS username (os.userInfo().username), hostname (os.hostname()), non-internal IPv4 address from os.networkInterfaces(), and the working directory (INIT_CWD / cwd), and POSTs them via https.request to a hardcoded webhook.site capture URL (https://webhook.site/742b2c61-b48c-4540-9963-a33713dedaf1). No functional code accompanies the beacon; package metadata is empty (description/author/keywords) and the version is an implausible 99.9.9, consistent with a dependency-confusion or reconnaissance-squat probe. Installing the package causes automatic, non-consensual exfiltration of installer identity and environment data to an attacker-controlled endpoint.\n","modified":"2026-07-08T17:16:53.051088821Z","published":"2026-07-08T16:25:37Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-07-08T16:25:37Z","id":"IN-MAL-2026-008105","import_time":"2026-07-08T17:01:30.894500824Z","sha256":"b49da9c4d3522da30e4c917c3102444f9d61d3ab3e9c547b74b9240168754b9a","source":"amazon-inspector","versions":["99.9.9"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/thunder-rony/v/99.9.9"}],"affected":[{"package":{"name":"thunder-rony","ecosystem":"npm","purl":"pkg:npm/thunder-rony"},"versions":["99.9.9"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/thunder-rony/MAL-2026-7004.json","indicators":{"evidence_files":[{"tlsh":"df01c5f541f7b4641eb861d1984aec1da362e01170079ad0766883946fc5af425b1e9c","sha256":"2ac49768f4d422d12d7dbc4dc634af61b568556e5acd3af829e110d3ab0c4787","path":"index.js"},{"tlsh":"7fd0a7745c35a62328d416aa09a6690a75614e1b000878085793142892eea3348fd30d","sha256":"6fb8d2c6b12399a6ee492af1d9eb30776d26fbb8e961d42e54a3586f04003fa8","path":"package.json"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-z/nG9VSOdvc+weng59xcY1nKB/y5jnnp1WLFLAyG36VoAm48OoVMRzmJtLuaRpr9Kv4Ig1mC9d7FO0pD3Kpgmg==","sha1":"636f6fdc86ee93cd15e6e4282db139f22b061900"},"filename":"thunder-rony-99.9.9.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}