OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-7001 confirms this npm version as malicious. The package's main entry (index.js) collects installer identity data — os.userInfo().username, process.env.INIT_CWD || process.cwd(), and os.hostname() — and POSTs the JSON body to a hardcoded webhook.site endpoint (https://webhook.site/7088d897-5b86-4deb-8d29-5b7a263a49b4) at module load time via require('https')...
Advisory
MAL-2026-7001
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in rony-test (npm)
Details
The package's main entry (index.js) collects installer identity data — os.userInfo().username, process.env.INIT_CWD || process.cwd(), and os.hostname() — and POSTs the JSON body to a hardcoded webhook.site endpoint (https://webhook.site/7088d897-5b86-4deb-8d29-5b7a263a49b4) at module load time via require('https'). Any consumer that requires or imports this package leaks host and user identifiers to an author-controlled third-party sink with no consent and no documented purpose (package description is 'Researching'). A postinstall entry ('node indes.js') references a non-existent file and would fail with MODULE_NOT_FOUND, so the install-time trigger is broken, but the load-time exfiltration via the main module is functional.
Decision reason
OpenSSF Malicious Packages via OSV confirms rony-test@99.9.9 as malicious (MAL-2026-7001): Malicious code in rony-test (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory