-= Per source details. Do not edit below this line.=-
The package's postinstall hook (node index.js) runs automatically on npm install and collects the installer's OS username (os.userInfo().username), hostname (os.hostname()), and working directory (process.env.INIT_CWD || process.cwd()), then POSTs them as JSON to a hardcoded webhook.site inspector URL (https://webhook.site/49781ccd-e409-4a90-8a42-34ed52b9e7b1). package.json ships empty author/description/keywords metadata and declares no legitimate purpose. The behavior is an unconditional install-time beacon that leaks installer host/user identifiers to an author-controlled inspection endpoint.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-08T16:25:19Z",
"id": "IN-MAL-2026-008103",
"source": "amazon-inspector",
"import_time": "2026-07-08T17:01:30.711731601Z",
"sha256": "8c9f63368f7e1147ade261a87f45e32e13bcf79b5336efad59087ce85e64a849",
"versions": [
"99.9.9"
]
}
]
}{
"evidence_files": [
{
"path": "index.js",
"tlsh": "ef01c0f581f7b6601eb972e19849ec19a266e001b00e99d0776883a4afc59f416b1adc",
"sha256": "7a9f3ba37de5f2ab9599647633db954f50f3a429ab6afbcedbfbb5857bfa668b"
},
{
"path": "package.json",
"tlsh": "05d0a7745c21962328d416950967680ab6a1cd1b0108780d5797141892de93344fd20e",
"sha256": "4cf299522a2d798abc17f33c485a442ed34007628e2a0974d4dc9eec8025dfa5"
}
],
"package_integrity": [
{
"filename": "ronyfortest-99.9.9.tgz",
"hashes": {
"sha1": "cd0a805f19c53b3d7c7808d10135a9e96bc98c80",
"sha512_sri": "sha512-jz8aj2kpm0nJT5z7QVbn2Jwv89zoHOD8csvLbVF7Pi/3rLVaT07uL6FThONCtnVe8z4a5peV8MwN2B5vgkEJaQ=="
}
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ronyfortest/MAL-2026-7002.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]