OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-7004 confirms this npm version as malicious. On `npm install`, the package's postinstall hook executes index.js, which collects the installer's OS username (os.userInfo().username), hostname (os.hostname()), non-internal IPv4 address from os.networkInterfaces(), and the working directory (INIT_CWD / cwd), and POSTs them via https.request to a hardcoded webhook.site capture URL (https://webhook.site/742b2c61-b48c-4540-9963-a33713dedaf1)...
Advisory
MAL-2026-7004
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in thunder-rony (npm)
Details
On `npm install`, the package's postinstall hook executes index.js, which collects the installer's OS username (os.userInfo().username), hostname (os.hostname()), non-internal IPv4 address from os.networkInterfaces(), and the working directory (INIT_CWD / cwd), and POSTs them via https.request to a hardcoded webhook.site capture URL (https://webhook.site/742b2c61-b48c-4540-9963-a33713dedaf1). No functional code accompanies the beacon; package metadata is empty (description/author/keywords) and the version is an implausible 99.9.9, consistent with a dependency-confusion or reconnaissance-squat probe. Installing the package causes automatic, non-consensual exfiltration of installer identity and environment data to an attacker-controlled endpoint.
Decision reason
OpenSSF Malicious Packages via OSV confirms thunder-rony@99.9.9 as malicious (MAL-2026-7004): Malicious code in thunder-rony (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory