{"id":"MAL-2026-5522","summary":"Malicious code in @orion-design-system/components (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (edd5d007da2de0a07fc1a0d999cccbf71a748627c82c9b2000d161eb248a5a0f)\npackage.json declares a `preinstall` hook that runs an inline `node -e` script reading `os.hostname()` and `os.userInfo().username` and transmitting them via HTTPS GET (and a DNS lookup) to `d8kn5vlt5p5h1j34mbcgbx1nffwjobfoh.oast.fun`, an interactsh/OAST callback subdomain not controlled by the installer. The hook fires automatically on `npm install`, with no opt-out. The package is published under the `@orion-design-system` scope at version `9999.0.0` — the canonical dependency-confusion bait version — and the README names Cloud Imperium Games / Roberts Space Industries as the intended target, confirming the package is positioned to be resolved over a private internal package of the same name. Any installer whose resolver picks the public version (intentionally or via misconfiguration) leaks host identifiers to a third-party collection endpoint on install. The `9999.0.0` version pin combined with the scope-targeted README and unconditional install-time beacon places this firmly in the active-attack / dependency-confusion-exfil pattern, regardless of any `research` framing.\n","modified":"2026-06-11T00:16:29.523152335Z","published":"2026-06-10T18:22:00Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-10T19:23:46.785502526Z","sha256":"5b2f8f861c74d508ab4b8c3716b24502c9b7d9576a1a7d5a12d943c8689a8aa6","source":"amazon-inspector","versions":["9999.0.2"],"id":"IN-MAL-2026-005266","modified_time":"2026-06-10T18:22:00Z"},{"sha256":"edd5d007da2de0a07fc1a0d999cccbf71a748627c82c9b2000d161eb248a5a0f","source":"amazon-inspector","import_time":"2026-06-10T19:23:47.439615066Z","versions":["9999.0.0"],"id":"IN-MAL-2026-005277","modified_time":"2026-06-10T18:23:01Z"},{"import_time":"2026-06-10T19:23:47.141951991Z","sha256":"fa4498f70425b07b70b45e690ec9bd4df39e2331b867b38f6c514fdace564d9a","source":"amazon-inspector","versions":["9999.0.1"],"id":"IN-MAL-2026-005272","modified_time":"2026-06-10T18:22:46Z"},{"source":"amazon-inspector","import_time":"2026-06-10T19:23:47.09525798Z","sha256":"613c244d661e5d4c24917f7b5f875ae3ba06702e87bb39e87c536a069a4bfdfd","versions":["9999.0.1"],"id":"IN-MAL-2026-005271","modified_time":"2026-06-10T18:22:45Z"},{"import_time":"2026-06-10T19:23:47.503943982Z","sha256":"7c720b8affc812f8715ba3276062643ae5cdf7f33e1fdb2d9b7f863aed37b265","source":"amazon-inspector","id":"IN-MAL-2026-005278","versions":["9999.0.0"],"modified_time":"2026-06-10T18:23:02Z"},{"import_time":"2026-06-10T19:23:46.713464407Z","sha256":"9bb4e5dc245e5190ba0541c3743ac690169de2eb2aff99bdba66f827d9233b65","source":"amazon-inspector","id":"IN-MAL-2026-005265","versions":["9999.0.2"],"modified_time":"2026-06-10T18:22:00Z"},{"import_time":"2026-06-11T00:00:56.874208606Z","sha256":"c77b1552ac6270761850a9f7f42c3eea13802392e2684f7093da3dcba4b11196","source":"amazon-inspector","versions":["9999.0.3"],"id":"IN-MAL-2026-005307","modified_time":"2026-06-10T23:32:00Z"},{"import_time":"2026-06-11T00:00:56.78812158Z","sha256":"cace6502c119f3fc25871413e4600fe6c4a278186974e38cae72390e11769379","source":"amazon-inspector","versions":["9999.0.3"],"id":"IN-MAL-2026-005306","modified_time":"2026-06-10T23:31:59Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@orion-design-system/components/v/9999.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@orion-design-system/components/v/9999.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@orion-design-system/components/v/9999.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@orion-design-system/components/v/9999.0.3"}],"affected":[{"package":{"name":"@orion-design-system/components","ecosystem":"npm","purl":"pkg:npm/%40orion-design-system%2Fcomponents"},"versions":["9999.0.2","9999.0.0","9999.0.1","9999.0.3"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@orion-design-system/components/MAL-2026-5522.json","indicators":{"domains":["bzexvuarrenmkxiyjrichx8eaxwssgv0x.oast.fun","orion-components.scan-9c76f414b7ee.bzexvuarrenmkxiyjrichx8eaxwssgv0x.oast.fun"],"package_integrity":[{"hashes":{"sha512_sri":"sha512-vk7A+KG+nSHeyeIFS2dnWSRfHK1GcUNy6KeaxA9CccY1e9x0tQSFdoPqFaEVVpzRwv8j6/teTodSIPJbJqtSbg==","sha1":"20278b5365b66eac2b5b32456d52ea1c36ab9d90"},"filename":"components-9999.0.0.tgz"}],"evidence_files":[{"path":"package.json","tlsh":"cb019978062098331dd644f403ba691bb1f3da86c9d55c0adae741c5a3ca7f127ba075","sha256":"fd725b830e409f5f9ce4266ef67a551dc04c2717c2f48d40421753e04cc9b452"}]},"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}