@orion-design-system/foundation @9999.0.4

Summary

The package's npm preinstall lifecycle script runs an inline node -e payload that collects the installer's hostname ( os.hostname() ) and OS username ( os.userInfo().username ) and transmits both to an attacker-controlled ProjectDiscovery Interactsh listener at d8ks495t5p5ut2enft80hii4hqu7wt7gb.oast.site — first as an HTTPS GET with the values in query parameters ( ?h=<hostname>&u=<username> ), then as a DNS lookup encoding the hostname into a subdomain (dual-channel to bypass egress filtering). The attacker controls the unique OAST subdomain and receives both the HTTP request and the DNS query out-of-band. The version 9999.0.4 and the @orion-design-system scope are the canonical fingerprints of a dependency-confusion attack: a high version number is published to public npm under a scope that the attacker believes corresponds to a private/internal package, so any victim build that misroutes resolution to the public registry will pull this version and execute the exfiltration on npm install .

Source: amazon-inspector (3e7fdf1bb78d6c3750adffa854f5f08c7f2fd7af6166f7234aa5cbf4974a1375)