registry  /  ronyfortest  /  99.9.9

ronyfortest@99.9.9

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-7002 confirms this npm version as malicious. The package's postinstall hook (`node index.js`) runs automatically on `npm install` and collects the installer's OS username (`os.userInfo().username`), hostname (`os.hostname()`), and working directory (`process.env.INIT_CWD || process.cwd()`), then POSTs them as JSON to a hardcoded webhook.site inspector URL (https://webhook.site/49781ccd-e409-4a90-8a42-34ed52b9e7b1). package.json ships empty...

Advisory
MAL-2026-7002
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in ronyfortest (npm)
Details
The package's postinstall hook (`node index.js`) runs automatically on `npm install` and collects the installer's OS username (`os.userInfo().username`), hostname (`os.hostname()`), and working directory (`process.env.INIT_CWD || process.cwd()`), then POSTs them as JSON to a hardcoded webhook.site inspector URL (https://webhook.site/49781ccd-e409-4a90-8a42-34ed52b9e7b1). package.json ships empty author/description/keywords metadata and declares no legitimate purpose. The behavior is an unconditional install-time beacon that leaks installer host/user identifiers to an author-controlled inspection endpoint.
Decision reason
OpenSSF Malicious Packages via OSV confirms ronyfortest@99.9.9 as malicious (MAL-2026-7002): Malicious code in ronyfortest (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory