{"id":"MAL-2026-5524","summary":"Malicious code in @orion-design-system/store (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (4218505b74ba258cea12df713bbc27db9fa58d6660cf83e6d0c5fd8a9f68a4c2)\npackage.json declares a preinstall script that runs on every `npm install`. The script uses `node -e` to require `os` and `https`, reads `os.hostname()` and `os.userInfo().username`, and exfiltrates them to `d8kn5vlt5p5h1j34mbcgbx1nffwjobfoh.oast.fun` (an Interactsh OAST callback host) via both an HTTPS GET with the values in the query string and a DNS lookup with the hostname embedded in the subdomain. The package combines this active exfiltration with a textbook Alex Birsan dependency-confusion shape: an internal-looking scope (`@orion-design-system`), an absurdly high version (`9999.0.0`) designed to win version resolution against a private registry, and a README that explicitly names the target organization (Cloud Imperium Games / Roberts Space Industries). Any build system misconfigured to resolve the public copy over a private internal package will leak host identifiers to the attacker-controlled OAST endpoint at install time. 'Authorized research' framing in the README does not neutralize the install-time payload — the script fires unconditionally on any installer that resolves this package.\n","modified":"2026-06-10T19:31:30.633098598Z","published":"2026-06-10T18:21:54Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-10T18:21:54Z","import_time":"2026-06-10T19:23:46.519208166Z","versions":["9999.0.2"],"source":"amazon-inspector","sha256":"18c29b2dcc4ee4794aa7b5a1199b5775d54d56eec361d95720af15dc1ddd7916","id":"IN-MAL-2026-005263"},{"modified_time":"2026-06-10T18:22:57Z","sha256":"9815f5aa81bcd030a391df30c297ef8fdfe95111569b4d2b77e5aeba1d2183d9","import_time":"2026-06-10T19:23:47.374149452Z","versions":["9999.0.0"],"source":"amazon-inspector","id":"IN-MAL-2026-005276"},{"modified_time":"2026-06-10T18:21:55Z","source":"amazon-inspector","sha256":"1b337743ad6e42e473396da2514abe56ba198f0776eaf2c7583335007066472e","import_time":"2026-06-10T19:23:46.629605118Z","versions":["9999.0.2"],"id":"IN-MAL-2026-005264"},{"modified_time":"2026-06-10T18:22:51Z","versions":["9999.0.1"],"source":"amazon-inspector","import_time":"2026-06-10T19:23:47.199943856Z","sha256":"32e10728cad830e305f8b7884fd0577b993901223cb5e658620f73d397a3355c","id":"IN-MAL-2026-005273"},{"modified_time":"2026-06-10T18:22:57Z","import_time":"2026-06-10T19:23:47.31321076Z","versions":["9999.0.0"],"source":"amazon-inspector","sha256":"4218505b74ba258cea12df713bbc27db9fa58d6660cf83e6d0c5fd8a9f68a4c2","id":"IN-MAL-2026-005275"},{"modified_time":"2026-06-10T18:22:52Z","id":"IN-MAL-2026-005274","versions":["9999.0.1"],"source":"amazon-inspector","sha256":"69f8ac78836d4508d6c1647cceec0814cd41da0cdf862199e2e4b7d9dccb8944","import_time":"2026-06-10T19:23:47.251862696Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@orion-design-system/store/v/9999.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@orion-design-system/store/v/9999.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@orion-design-system/store/v/9999.0.0"}],"affected":[{"package":{"name":"@orion-design-system/store","ecosystem":"npm","purl":"pkg:npm/%40orion-design-system%2Fstore"},"versions":["9999.0.2","9999.0.0","9999.0.1"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha1":"3a88b55007aea47a8f5d8fc8bcbd8e74f04261a2","sha512_sri":"sha512-x/Nz0vM9mwZMiyrQMVeYR4liuCdJjr5kLgTFMaOFxdZcxGw9Y7P/X/rTR7HefjYNGMVC6Gd2rAAz2Zn+3FyU4g=="},"filename":"store-9999.0.2.tgz"}],"evidence_files":[{"path":"package.json","sha256":"51004bbf3fdebea3fe02980e351a31beaf5545a58420d73d9a8313418de42bfe","tlsh":"98f0dd3944a0e8370dc901e016b66e0eb0f7eb2a4ad45d58a5a7128c53a97b2177603c"}],"domains":["orion-store.scan-1e350f78bc89.d8kn5vlt5p5h1j34mbcgbx1nffwjobfoh.oast.fun","d8kn5vlt5p5h1j34mbcgbx1nffwjobfoh.oast.fun"]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@orion-design-system/store/MAL-2026-5524.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}