-= Per source details. Do not edit below this line.=-
The package's main entry (index.js) collects installer identity data — os.userInfo().username, process.env.INITCWD || process.cwd(), and os.hostname() — and POSTs the JSON body to a hardcoded webhook.site endpoint (https://webhook.site/7088d897-5b86-4deb-8d29-5b7a263a49b4) at module load time via require('https'). Any consumer that requires or imports this package leaks host and user identifiers to an author-controlled third-party sink with no consent and no documented purpose (package description is 'Researching'). A postinstall entry ('node indes.js') references a non-existent file and would fail with MODULENOT_FOUND, so the install-time trigger is broken, but the load-time exfiltration via the main module is functional.
{
"malicious-packages-origins": [
{
"sha256": "873cd33646b64f2073cc37ed9649a3757fb8aa186d50f700cb8ad199196fd56c",
"id": "IN-MAL-2026-008100",
"modified_time": "2026-07-08T16:24:55Z",
"versions": [
"99.9.9"
],
"import_time": "2026-07-08T17:01:30.457816159Z",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "6faf0e080e64fff0079c1f8e87c30c452acf3cc71fc5fbf131da4b05c7ba18e7",
"tlsh": "9801c0f591f7b1640ea921e1984aec1a6322e401700a9dd4baa8c3a4afc19f425b1adc",
"path": "index.js"
},
{
"sha256": "ef2cbc37c6de54b3324fec77959b63d71335e03d5a35727d9d576d0b63520b31",
"tlsh": "5cd0a7285c31962378d41aa90da5a80aaa619e1f0208781e1ba7105c92eed3748be30f",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "rony-test-99.9.9.tgz",
"hashes": {
"sha512_sri": "sha512-9jYRUGOit1ADPNA/scHuh4g/bnACzg/Ri5YPzNh+t4A8wj1XBcS/xvJtE+drEJE8NfPAy+Mjkk5oXLk/4z+9uw==",
"sha1": "a2e64ec80e6598c31b4c82b77b6b5bc2e6d6e902"
}
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rony-test/MAL-2026-7001.json"