{"id":"MAL-2026-5523","summary":"Malicious code in @orion-design-system/foundation (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3e7fdf1bb78d6c3750adffa854f5f08c7f2fd7af6166f7234aa5cbf4974a1375)\nThe package's npm preinstall lifecycle script runs an inline `node -e` payload that collects the installer's hostname (`os.hostname()`) and OS username (`os.userInfo().username`) and transmits both to an attacker-controlled ProjectDiscovery Interactsh listener at `d8ks495t5p5ut2enft80hii4hqu7wt7gb.oast.site` — first as an HTTPS GET with the values in query parameters (`?h=\u003chostname\u003e&u=\u003cusername\u003e`), then as a DNS lookup encoding the hostname into a subdomain (dual-channel to bypass egress filtering). The attacker controls the unique OAST subdomain and receives both the HTTP request and the DNS query out-of-band. The version `9999.0.4` and the `@orion-design-system` scope are the canonical fingerprints of a dependency-confusion attack: a high version number is published to public npm under a scope that the attacker believes corresponds to a private/internal package, so any victim build that misroutes resolution to the public registry will pull this version and execute the exfiltration on `npm install`.\n\n## Source: ossf-package-analysis (9a64f6bdb5211b25baf8dbdc18c5d6ab23aac374b09f5158a1a0316701d208c4)\nThe OpenSSF Package Analysis project identified '@orion-design-system/foundation' @ 9999.0.4 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-06-11T00:16:29.343948056Z","published":"2026-06-10T18:22:05Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","id":"IN-MAL-2026-005270","import_time":"2026-06-10T19:23:47.034028738Z","modified_time":"2026-06-10T18:22:11Z","versions":["9999.0.1"],"sha256":"415d4de9648e791e061f26a8939e7530af9b3365ec0d00c38fa3642e9b83fcb5"},{"id":"IN-MAL-2026-005267","source":"amazon-inspector","import_time":"2026-06-10T19:23:46.842983255Z","modified_time":"2026-06-10T18:22:05Z","versions":["9999.0.2"],"sha256":"72f7c1d7bf0e1bc45618de90faa1a3b60b99f75df2b2f264174f1a6cc10710cc"},{"id":"IN-MAL-2026-005280","source":"amazon-inspector","import_time":"2026-06-10T19:23:47.625525363Z","modified_time":"2026-06-10T18:23:08Z","versions":["9999.0.0"],"sha256":"7bec5d5dff963ff4617162b4ad15dff8188ccc309d0beaf0c08c405261dce1ac"},{"source":"amazon-inspector","id":"IN-MAL-2026-005279","import_time":"2026-06-10T19:23:47.55589777Z","modified_time":"2026-06-10T18:23:07Z","versions":["9999.0.0"],"sha256":"8f8221eb2d51c14500cfc2ca44338fad4d4ec785310189059637c5f1a879517f"},{"id":"IN-MAL-2026-005269","source":"amazon-inspector","import_time":"2026-06-10T19:23:46.98138223Z","modified_time":"2026-06-10T18:22:10Z","versions":["9999.0.1"],"sha256":"b664659493765f2f9edcce7a5eda55d284ef03f7a8eed3855d41c2d448629fa3"},{"id":"IN-MAL-2026-005268","source":"amazon-inspector","import_time":"2026-06-10T19:23:46.908761443Z","modified_time":"2026-06-10T18:22:06Z","versions":["9999.0.2"],"sha256":"ed052905a32341ca24d144ea6fa4593962ba1a390210006d659fb883a5a732b0"},{"source":"ossf-package-analysis","import_time":"2026-06-10T21:21:03.442323534Z","modified_time":"2026-06-10T20:25:59Z","versions":["9999.0.4"],"sha256":"9a64f6bdb5211b25baf8dbdc18c5d6ab23aac374b09f5158a1a0316701d208c4"},{"id":"IN-MAL-2026-005305","source":"amazon-inspector","import_time":"2026-06-11T00:00:56.700756454Z","modified_time":"2026-06-10T23:31:52Z","versions":["9999.0.4"],"sha256":"c7722eaea7bc7ae326ec6ff4cdb730467da8c7de628bcc8860300dc09996c6e7"},{"id":"IN-MAL-2026-005304","source":"amazon-inspector","import_time":"2026-06-11T00:00:56.623380296Z","modified_time":"2026-06-10T23:31:51Z","versions":["9999.0.4"],"sha256":"3e7fdf1bb78d6c3750adffa854f5f08c7f2fd7af6166f7234aa5cbf4974a1375"},{"source":"amazon-inspector","id":"IN-MAL-2026-005309","import_time":"2026-06-11T00:00:57.074586318Z","modified_time":"2026-06-10T23:32:04Z","versions":["9999.0.3"],"sha256":"544c5d9976421747f56df9014dbd7777532d14be9b3cd4805ecddaa8b92df9ab"},{"source":"amazon-inspector","id":"IN-MAL-2026-005308","import_time":"2026-06-11T00:00:56.954354821Z","modified_time":"2026-06-10T23:32:04Z","versions":["9999.0.3"],"sha256":"acebde0a3b345dcd7f51f857b4d37497cc71f2a65ab73f8b9e16f748481da0d4"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@orion-design-system/foundation/v/9999.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@orion-design-system/foundation/v/9999.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@orion-design-system/foundation/v/9999.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@orion-design-system/foundation/v/9999.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@orion-design-system/foundation/v/9999.0.3"}],"affected":[{"package":{"name":"@orion-design-system/foundation","ecosystem":"npm","purl":"pkg:npm/%40orion-design-system%2Ffoundation"},"versions":["9999.0.1","9999.0.2","9999.0.0","9999.0.4","9999.0.3"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"da012d780060a83b0ce901f102ba6b1ea0f7eb264ad4ac69c5e7128803a83b2073707c","path":"package.json","sha256":"32afd4635db9d1167a835258d8ee5a1e88388580b7004e091539e376d4f99a77"}],"domains":["orion-foundation.scan-50ecf42d04d3.d8knf6tt5p5gb5rnlp8g6wqfcq5q5nkhc.oast.site","d8knf6tt5p5gb5rnlp8g6wqfcq5q5nkhc.oast.site"],"package_integrity":[{"hashes":{"sha1":"062da7b2fa7adbcb0a2c5ce4e9ea784a63c2e187","sha512_sri":"sha512-UfXeEH5x05c8enypFjN2fs519520H+YyAl7YjkZbj7d136F/d6IQwrsNMKB7qYyFsSojSqseEl0haaKZQg8ddQ=="},"filename":"foundation-9999.0.2.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@orion-design-system/foundation/MAL-2026-5523.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}