VDB
KO

MAL-2026-7004

Malicious code in thunder-rony (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b49da9c4d3522da30e4c917c3102444f9d61d3ab3e9c547b74b9240168754b9a) On `npm install`, the package's postinstall hook executes index.js, which collects the installer's OS username (os.userInfo().username), hostname (os.hostname()), non-internal IPv4 address from os.networkInterfaces(), and the working directory (INIT_CWD / cwd), and POSTs them via https.request to a hardcoded webhook.site capture URL (https://webhook.site/742b2c61-b48c-4540-9963-a33713dedaf1). No functional code accompanies the beacon; package metadata is empty (description/author/keywords) and the version is an implausible 99.9.9, consistent with a dependency-confusion or reconnaissance-squat probe. Installing the package causes automatic, non-consensual exfiltration of installer identity and environment data to an attacker-controlled endpoint.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / thunder-rony

No fixed version published yet for thunder-rony (npm). Pin to a known-safe version or switch to an alternative.

References