npm · Malicious package advisory
Malwarerony-test
MAL-2026-7001
Malicious code in rony-test (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (873cd33646b64f2073cc37ed9649a3757fb8aa186d50f700cb8ad199196fd56c)
The package's main entry (index.js) collects installer identity data — os.userInfo().username, process.env.INIT_CWD || process.cwd(), and os.hostname() — and POSTs the JSON body to a hardcoded webhook.site endpoint (https://webhook.site/7088d897-5b86-4deb-8d29-5b7a263a49b4) at module load time via require('https'). Any consumer that requires or imports this package leaks host and user identifiers to an author-controlled third-party sink with no consent and no documented purpose (package description is 'Researching'). A postinstall entry ('node indes.js') references a non-existent file and would fail with MODULE_NOT_FOUND, so the install-time trigger is broken, but the load-time exfiltration via the main module is functional.
Compromised versions (1)
- 99.9.9
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.