VYPR

npm · Malicious package advisory

Malware

@orion-design-system/foundation

MAL-2026-5523

Malicious code in @orion-design-system/foundation (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3e7fdf1bb78d6c3750adffa854f5f08c7f2fd7af6166f7234aa5cbf4974a1375)
The package's npm preinstall lifecycle script runs an inline `node -e` payload that collects the installer's hostname (`os.hostname()`) and OS username (`os.userInfo().username`) and transmits both to an attacker-controlled ProjectDiscovery Interactsh listener at `d8ks495t5p5ut2enft80hii4hqu7wt7gb.oast.site` — first as an HTTPS GET with the values in query parameters (`?h=<hostname>&u=<username>`), then as a DNS lookup encoding the hostname into a subdomain (dual-channel to bypass egress filtering). The attacker controls the unique OAST subdomain and receives both the HTTP request and the DNS query out-of-band. The version `9999.0.4` and the `@orion-design-system` scope are the canonical fingerprints of a dependency-confusion attack: a high version number is published to public npm under a scope that the attacker believes corresponds to a private/internal package, so any victim build that misroutes resolution to the public registry will pull this version and execute the exfiltration on `npm install`.

## Source: ossf-package-analysis (9a64f6bdb5211b25baf8dbdc18c5d6ab23aac374b09f5158a1a0316701d208c4)
The OpenSSF Package Analysis project identified '@orion-design-system/foundation' @ 9999.0.4 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

Compromised versions (5)

  • 9999.0.1
  • 9999.0.2
  • 9999.0.0
  • 9999.0.4
  • 9999.0.3

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.