@orion-design-system/store @9999.0.2

Summary

package.json declares a preinstall script that runs on every npm install . The script uses node -e to require os and https , reads os.hostname() and os.userInfo().username , and exfiltrates them to d8kn5vlt5p5h1j34mbcgbx1nffwjobfoh.oast.fun (an Interactsh OAST callback host) via both an HTTPS GET with the values in the query string and a DNS lookup with the hostname embedded in the subdomain. The package combines this active exfiltration with a textbook Alex Birsan dependency-confusion shape: an internal-looking scope ( @orion-design-system ), an absurdly high version ( 9999.0.0 ) designed to win version resolution against a private registry, and a README that explicitly names the target organization (Cloud Imperium Games / Roberts Space Industries). Any build system misconfigured to resolve the public copy over a private internal package will leak host identifiers to the attacker-controlled OAST endpoint at install time. 'Authorized research' framing in the README does not neutralize the install-time payload — the script fires unconditionally on any installer that resolves this package.

Source: amazon-inspector (4218505b74ba258cea12df713bbc27db9fa58d6660cf83e6d0c5fd8a9f68a4c2)