MAL-2026-5523

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@orion-design-system/foundation/MAL-2026-5523.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5523
Published
2026-06-10T18:22:05Z
Modified
2026-06-11T00:16:29.343948056Z
Summary
Malicious code in @orion-design-system/foundation (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3e7fdf1bb78d6c3750adffa854f5f08c7f2fd7af6166f7234aa5cbf4974a1375)

The package's npm preinstall lifecycle script runs an inline node -e payload that collects the installer's hostname (os.hostname()) and OS username (os.userInfo().username) and transmits both to an attacker-controlled ProjectDiscovery Interactsh listener at d8ks495t5p5ut2enft80hii4hqu7wt7gb.oast.site — first as an HTTPS GET with the values in query parameters (?h=<hostname>&u=<username>), then as a DNS lookup encoding the hostname into a subdomain (dual-channel to bypass egress filtering). The attacker controls the unique OAST subdomain and receives both the HTTP request and the DNS query out-of-band. The version 9999.0.4 and the @orion-design-system scope are the canonical fingerprints of a dependency-confusion attack: a high version number is published to public npm under a scope that the attacker believes corresponds to a private/internal package, so any victim build that misroutes resolution to the public registry will pull this version and execute the exfiltration on npm install.

Source: ossf-package-analysis (9a64f6bdb5211b25baf8dbdc18c5d6ab23aac374b09f5158a1a0316701d208c4)

The OpenSSF Package Analysis project identified '@orion-design-system/foundation' @ 9999.0.4 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.
Database specific 
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005270",
            "versions": [
                "9999.0.1"
            ],
            "sha256": "415d4de9648e791e061f26a8939e7530af9b3365ec0d00c38fa3642e9b83fcb5",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T18:22:11Z",
            "import_time": "2026-06-10T19:23:47.034028738Z"
        },
        {
            "id": "IN-MAL-2026-005267",
            "versions": [
                "9999.0.2"
            ],
            "sha256": "72f7c1d7bf0e1bc45618de90faa1a3b60b99f75df2b2f264174f1a6cc10710cc",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T18:22:05Z",
            "import_time": "2026-06-10T19:23:46.842983255Z"
        },
        {
            "id": "IN-MAL-2026-005280",
            "versions": [
                "9999.0.0"
            ],
            "sha256": "7bec5d5dff963ff4617162b4ad15dff8188ccc309d0beaf0c08c405261dce1ac",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T18:23:08Z",
            "import_time": "2026-06-10T19:23:47.625525363Z"
        },
        {
            "id": "IN-MAL-2026-005279",
            "versions": [
                "9999.0.0"
            ],
            "sha256": "8f8221eb2d51c14500cfc2ca44338fad4d4ec785310189059637c5f1a879517f",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T18:23:07Z",
            "import_time": "2026-06-10T19:23:47.55589777Z"
        },
        {
            "id": "IN-MAL-2026-005269",
            "versions": [
                "9999.0.1"
            ],
            "sha256": "b664659493765f2f9edcce7a5eda55d284ef03f7a8eed3855d41c2d448629fa3",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T18:22:10Z",
            "import_time": "2026-06-10T19:23:46.98138223Z"
        },
        {
            "id": "IN-MAL-2026-005268",
            "versions": [
                "9999.0.2"
            ],
            "sha256": "ed052905a32341ca24d144ea6fa4593962ba1a390210006d659fb883a5a732b0",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T18:22:06Z",
            "import_time": "2026-06-10T19:23:46.908761443Z"
        },
        {
            "import_time": "2026-06-10T21:21:03.442323534Z",
            "sha256": "9a64f6bdb5211b25baf8dbdc18c5d6ab23aac374b09f5158a1a0316701d208c4",
            "source": "ossf-package-analysis",
            "modified_time": "2026-06-10T20:25:59Z",
            "versions": [
                "9999.0.4"
            ]
        },
        {
            "id": "IN-MAL-2026-005305",
            "import_time": "2026-06-11T00:00:56.700756454Z",
            "sha256": "c7722eaea7bc7ae326ec6ff4cdb730467da8c7de628bcc8860300dc09996c6e7",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T23:31:52Z",
            "versions": [
                "9999.0.4"
            ]
        },
        {
            "id": "IN-MAL-2026-005304",
            "versions": [
                "9999.0.4"
            ],
            "sha256": "3e7fdf1bb78d6c3750adffa854f5f08c7f2fd7af6166f7234aa5cbf4974a1375",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T23:31:51Z",
            "import_time": "2026-06-11T00:00:56.623380296Z"
        },
        {
            "id": "IN-MAL-2026-005309",
            "import_time": "2026-06-11T00:00:57.074586318Z",
            "sha256": "544c5d9976421747f56df9014dbd7777532d14be9b3cd4805ecddaa8b92df9ab",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T23:32:04Z",
            "versions": [
                "9999.0.3"
            ]
        },
        {
            "id": "IN-MAL-2026-005308",
            "import_time": "2026-06-11T00:00:56.954354821Z",
            "sha256": "acebde0a3b345dcd7f51f857b4d37497cc71f2a65ab73f8b9e16f748481da0d4",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T23:32:04Z",
            "versions": [
                "9999.0.3"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / @orion-design-system/foundation

Package

Name
@orion-design-system/foundation
View open source insights on deps.dev
Purl
pkg:npm/%40orion-design-system%2Ffoundation

Affected ranges

Affected versions

9999.*
9999.0.0
9999.0.1
9999.0.2
9999.0.3
9999.0.4

Database specific

indicators 
{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "32afd4635db9d1167a835258d8ee5a1e88388580b7004e091539e376d4f99a77",
            "tlsh": "da012d780060a83b0ce901f102ba6b1ea0f7eb264ad4ac69c5e7128803a83b2073707c"
        }
    ],
    "package_integrity": [
        {
            "filename": "foundation-9999.0.2.tgz",
            "hashes": {
                "sha512_sri": "sha512-UfXeEH5x05c8enypFjN2fs519520H+YyAl7YjkZbj7d136F/d6IQwrsNMKB7qYyFsSojSqseEl0haaKZQg8ddQ==",
                "sha1": "062da7b2fa7adbcb0a2c5ce4e9ea784a63c2e187"
            }
        }
    ],
    "domains": [
        "orion-foundation.scan-50ecf42d04d3.d8knf6tt5p5gb5rnlp8g6wqfcq5q5nkhc.oast.site",
        "d8knf6tt5p5gb5rnlp8g6wqfcq5q5nkhc.oast.site"
    ]
}
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@orion-design-system/foundation/MAL-2026-5523.json"