MAL-2026-7004

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/thunder-rony/MAL-2026-7004.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-7004
Published
2026-07-08T16:25:37Z
Modified
2026-07-08T17:16:53.051088821Z
Summary
Malicious code in thunder-rony (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b49da9c4d3522da30e4c917c3102444f9d61d3ab3e9c547b74b9240168754b9a)

On npm install, the package's postinstall hook executes index.js, which collects the installer's OS username (os.userInfo().username), hostname (os.hostname()), non-internal IPv4 address from os.networkInterfaces(), and the working directory (INIT_CWD / cwd), and POSTs them via https.request to a hardcoded webhook.site capture URL (https://webhook.site/742b2c61-b48c-4540-9963-a33713dedaf1). No functional code accompanies the beacon; package metadata is empty (description/author/keywords) and the version is an implausible 99.9.9, consistent with a dependency-confusion or reconnaissance-squat probe. Installing the package causes automatic, non-consensual exfiltration of installer identity and environment data to an attacker-controlled endpoint.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "b49da9c4d3522da30e4c917c3102444f9d61d3ab3e9c547b74b9240168754b9a",
            "id": "IN-MAL-2026-008105",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T17:01:30.894500824Z",
            "modified_time": "2026-07-08T16:25:37Z",
            "versions": [
                "99.9.9"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / thunder-rony

Package

Affected ranges

Affected versions

99.*
99.9.9

Database specific

indicators
{
    "evidence_files": [
        {
            "path": "index.js",
            "tlsh": "df01c5f541f7b4641eb861d1984aec1da362e01170079ad0766883946fc5af425b1e9c",
            "sha256": "2ac49768f4d422d12d7dbc4dc634af61b568556e5acd3af829e110d3ab0c4787"
        },
        {
            "path": "package.json",
            "tlsh": "7fd0a7745c35a62328d416aa09a6690a75614e1b000878085793142892eea3348fd30d",
            "sha256": "6fb8d2c6b12399a6ee492af1d9eb30776d26fbb8e961d42e54a3586f04003fa8"
        }
    ],
    "package_integrity": [
        {
            "filename": "thunder-rony-99.9.9.tgz",
            "hashes": {
                "sha1": "636f6fdc86ee93cd15e6e4282db139f22b061900",
                "sha512_sri": "sha512-z/nG9VSOdvc+weng59xcY1nKB/y5jnnp1WLFLAyG36VoAm48OoVMRzmJtLuaRpr9Kv4Ig1mC9d7FO0pD3Kpgmg=="
            }
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/thunder-rony/MAL-2026-7004.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]