VYPR

npm · Malicious package advisory

Malware

ronyfortest

MAL-2026-7002

Malicious code in ronyfortest (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8c9f63368f7e1147ade261a87f45e32e13bcf79b5336efad59087ce85e64a849)
The package's postinstall hook (`node index.js`) runs automatically on `npm install` and collects the installer's OS username (`os.userInfo().username`), hostname (`os.hostname()`), and working directory (`process.env.INIT_CWD || process.cwd()`), then POSTs them as JSON to a hardcoded webhook.site inspector URL (https://webhook.site/49781ccd-e409-4a90-8a42-34ed52b9e7b1). package.json ships empty author/description/keywords metadata and declares no legitimate purpose. The behavior is an unconditional install-time beacon that leaks installer host/user identifiers to an author-controlled inspection endpoint.

Compromised versions (1)

  • 99.9.9

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.