MAL-2026-7002

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ronyfortest/MAL-2026-7002.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-7002
Published
2026-07-08T16:25:19Z
Modified
2026-07-08T17:16:51.942060577Z
Summary
Malicious code in ronyfortest (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8c9f63368f7e1147ade261a87f45e32e13bcf79b5336efad59087ce85e64a849)

The package's postinstall hook (node index.js) runs automatically on npm install and collects the installer's OS username (os.userInfo().username), hostname (os.hostname()), and working directory (process.env.INIT_CWD || process.cwd()), then POSTs them as JSON to a hardcoded webhook.site inspector URL (https://webhook.site/49781ccd-e409-4a90-8a42-34ed52b9e7b1). package.json ships empty author/description/keywords metadata and declares no legitimate purpose. The behavior is an unconditional install-time beacon that leaks installer host/user identifiers to an author-controlled inspection endpoint.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-08T16:25:19Z",
            "id": "IN-MAL-2026-008103",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T17:01:30.711731601Z",
            "sha256": "8c9f63368f7e1147ade261a87f45e32e13bcf79b5336efad59087ce85e64a849",
            "versions": [
                "99.9.9"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / ronyfortest

Package

Affected ranges

Affected versions

99.*
99.9.9

Database specific

indicators
{
    "evidence_files": [
        {
            "path": "index.js",
            "tlsh": "ef01c0f581f7b6601eb972e19849ec19a266e001b00e99d0776883a4afc59f416b1adc",
            "sha256": "7a9f3ba37de5f2ab9599647633db954f50f3a429ab6afbcedbfbb5857bfa668b"
        },
        {
            "path": "package.json",
            "tlsh": "05d0a7745c21962328d416950967680ab6a1cd1b0108780d5797141892de93344fd20e",
            "sha256": "4cf299522a2d798abc17f33c485a442ed34007628e2a0974d4dc9eec8025dfa5"
        }
    ],
    "package_integrity": [
        {
            "filename": "ronyfortest-99.9.9.tgz",
            "hashes": {
                "sha1": "cd0a805f19c53b3d7c7808d10135a9e96bc98c80",
                "sha512_sri": "sha512-jz8aj2kpm0nJT5z7QVbn2Jwv89zoHOD8csvLbVF7Pi/3rLVaT07uL6FThONCtnVe8z4a5peV8MwN2B5vgkEJaQ=="
            }
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ronyfortest/MAL-2026-7002.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]