MAL-2026-5524

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@orion-design-system/store/MAL-2026-5524.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5524

Published

2026-06-10T18:21:54Z

Modified

2026-06-10T19:31:30.633098598Z

Summary

Malicious code in @orion-design-system/store (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4218505b74ba258cea12df713bbc27db9fa58d6660cf83e6d0c5fd8a9f68a4c2)

package.json declares a preinstall script that runs on every npm install. The script uses node -e to require os and https, reads os.hostname() and os.userInfo().username, and exfiltrates them to d8kn5vlt5p5h1j34mbcgbx1nffwjobfoh.oast.fun (an Interactsh OAST callback host) via both an HTTPS GET with the values in the query string and a DNS lookup with the hostname embedded in the subdomain. The package combines this active exfiltration with a textbook Alex Birsan dependency-confusion shape: an internal-looking scope (@orion-design-system), an absurdly high version (9999.0.0) designed to win version resolution against a private registry, and a README that explicitly names the target organization (Cloud Imperium Games / Roberts Space Industries). Any build system misconfigured to resolve the public copy over a private internal package will leak host identifiers to the attacker-controlled OAST endpoint at install time. 'Authorized research' framing in the README does not neutralize the install-time payload — the script fires unconditionally on any installer that resolves this package.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005263",
            "versions": [
                "9999.0.2"
            ],
            "sha256": "18c29b2dcc4ee4794aa7b5a1199b5775d54d56eec361d95720af15dc1ddd7916",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T18:21:54Z",
            "import_time": "2026-06-10T19:23:46.519208166Z"
        },
        {
            "id": "IN-MAL-2026-005276",
            "versions": [
                "9999.0.0"
            ],
            "sha256": "9815f5aa81bcd030a391df30c297ef8fdfe95111569b4d2b77e5aeba1d2183d9",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T18:22:57Z",
            "import_time": "2026-06-10T19:23:47.374149452Z"
        },
        {
            "id": "IN-MAL-2026-005264",
            "versions": [
                "9999.0.2"
            ],
            "sha256": "1b337743ad6e42e473396da2514abe56ba198f0776eaf2c7583335007066472e",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T18:21:55Z",
            "import_time": "2026-06-10T19:23:46.629605118Z"
        },
        {
            "id": "IN-MAL-2026-005273",
            "import_time": "2026-06-10T19:23:47.199943856Z",
            "sha256": "32e10728cad830e305f8b7884fd0577b993901223cb5e658620f73d397a3355c",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T18:22:51Z",
            "versions": [
                "9999.0.1"
            ]
        },
        {
            "id": "IN-MAL-2026-005275",
            "versions": [
                "9999.0.0"
            ],
            "sha256": "4218505b74ba258cea12df713bbc27db9fa58d6660cf83e6d0c5fd8a9f68a4c2",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T18:22:57Z",
            "import_time": "2026-06-10T19:23:47.31321076Z"
        },
        {
            "id": "IN-MAL-2026-005274",
            "import_time": "2026-06-10T19:23:47.251862696Z",
            "sha256": "69f8ac78836d4508d6c1647cceec0814cd41da0cdf862199e2e4b7d9dccb8944",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T18:22:52Z",
            "versions": [
                "9999.0.1"
            ]
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @orion-design-system/store

Package

Name: @orion-design-system/store; View open source insights on deps.dev
Purl: pkg:npm/%40orion-design-system%2Fstore

Affected ranges

Affected versions

9999.*

9999.0.0

9999.0.1

9999.0.2

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "51004bbf3fdebea3fe02980e351a31beaf5545a58420d73d9a8313418de42bfe",
            "tlsh": "98f0dd3944a0e8370dc901e016b66e0eb0f7eb2a4ad45d58a5a7128c53a97b2177603c"
        }
    ],
    "package_integrity": [
        {
            "filename": "store-9999.0.2.tgz",
            "hashes": {
                "sha512_sri": "sha512-x/Nz0vM9mwZMiyrQMVeYR4liuCdJjr5kLgTFMaOFxdZcxGw9Y7P/X/rTR7HefjYNGMVC6Gd2rAAz2Zn+3FyU4g==",
                "sha1": "3a88b55007aea47a8f5d8fc8bcbd8e74f04261a2"
            }
        }
    ],
    "domains": [
        "orion-store.scan-1e350f78bc89.d8kn5vlt5p5h1j34mbcgbx1nffwjobfoh.oast.fun",
        "d8kn5vlt5p5h1j34mbcgbx1nffwjobfoh.oast.fun"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@orion-design-system/store/MAL-2026-5524.json"