MAL-2026-7001

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rony-test/MAL-2026-7001.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-7001
Published
2026-07-08T16:24:55Z
Modified
2026-07-08T17:16:51.744622755Z
Summary
Malicious code in rony-test (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (873cd33646b64f2073cc37ed9649a3757fb8aa186d50f700cb8ad199196fd56c)

The package's main entry (index.js) collects installer identity data — os.userInfo().username, process.env.INITCWD || process.cwd(), and os.hostname() — and POSTs the JSON body to a hardcoded webhook.site endpoint (https://webhook.site/7088d897-5b86-4deb-8d29-5b7a263a49b4) at module load time via require('https'). Any consumer that requires or imports this package leaks host and user identifiers to an author-controlled third-party sink with no consent and no documented purpose (package description is 'Researching'). A postinstall entry ('node indes.js') references a non-existent file and would fail with MODULENOT_FOUND, so the install-time trigger is broken, but the load-time exfiltration via the main module is functional.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "873cd33646b64f2073cc37ed9649a3757fb8aa186d50f700cb8ad199196fd56c",
            "id": "IN-MAL-2026-008100",
            "modified_time": "2026-07-08T16:24:55Z",
            "versions": [
                "99.9.9"
            ],
            "import_time": "2026-07-08T17:01:30.457816159Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / rony-test

Package

Affected ranges

Affected versions

99.*
99.9.9

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "6faf0e080e64fff0079c1f8e87c30c452acf3cc71fc5fbf131da4b05c7ba18e7",
            "tlsh": "9801c0f591f7b1640ea921e1984aec1a6322e401700a9dd4baa8c3a4afc19f425b1adc",
            "path": "index.js"
        },
        {
            "sha256": "ef2cbc37c6de54b3324fec77959b63d71335e03d5a35727d9d576d0b63520b31",
            "tlsh": "5cd0a7285c31962378d41aa90da5a80aaa619e1f0208781e1ba7105c92eed3748be30f",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "rony-test-99.9.9.tgz",
            "hashes": {
                "sha512_sri": "sha512-9jYRUGOit1ADPNA/scHuh4g/bnACzg/Ri5YPzNh+t4A8wj1XBcS/xvJtE+drEJE8NfPAy+Mjkk5oXLk/4z+9uw==",
                "sha1": "a2e64ec80e6598c31b4c82b77b6b5bc2e6d6e902"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rony-test/MAL-2026-7001.json"