Which versions of @orion-design-system/components are malicious?

The following npm versions of @orion-design-system/components are flagged malicious: 9999.0.0, 9999.0.1, 9999.0.2. Treat any of these as compromised.

How do I remediate @orion-design-system/components if I installed it?

Remove @orion-design-system/components from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @orion-design-system/components part of a known attack campaign?

Yes — @orion-design-system/components is associated with the IN-MAL-2026-005266, IN-MAL-2026-005277, IN-MAL-2026-005272, IN-MAL-2026-005271, IN-MAL-2026-005278, IN-MAL-2026-005265 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @orion-design-system/components in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @orion-design-system/components and packages like it before any post-install script runs.

Malicious package

@orion-design-system/componentsnpm

Malicious code in @orion-design-system/components (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5522

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @orion-design-system/components

What this malware does

package.json declares a preinstall hook that runs an inline node -e script reading os.hostname() and os.userInfo().username and transmitting them via HTTPS GET (and a DNS lookup) to d8kn5vlt5p5h1j34mbcgbx1nffwjobfoh.oast.fun, an interactsh/OAST callback subdomain not controlled by the installer. The hook fires automatically on npm install, with no opt-out. The package is published under the @orion-design-system scope at version 9999.0.0 — the canonical dependency-confusion bait version — and the README names Cloud Imperium Games / Roberts Space Industries as the intended target, confirming the package is positioned to be resolved over a private internal package of the same name. Any installer whose resolver picks the public version (intentionally or via misconfiguration) leaks host identifiers to a third-party collection endpoint on install. The 9999.0.0 version pin combined with the scope-targeted README and unconditional install-time beacon places this firmly in the active-attack / dependency-confusion-exfil pattern, regardless of any research framing.

Malicious versions

3 flagged

9999.0.09999.0.19999.0.2

Indicators of compromise (SHA-256)

5b2f8f861c74d508ab4b8c3716b24502c9b7d9576a1a7d5a12d943c8689a8aa6

edd5d007da2de0a07fc1a0d999cccbf71a748627c82c9b2000d161eb248a5a0f

fa4498f70425b07b70b45e690ec9bd4df39e2331b867b38f6c514fdace564d9a

613c244d661e5d4c24917f7b5f875ae3ba06702e87bb39e87c536a069a4bfdfd

7c720b8affc812f8715ba3276062643ae5cdf7f33e1fdb2d9b7f863aed37b265

9bb4e5dc245e5190ba0541c3743ac690169de2eb2aff99bdba66f827d9233b65

Frequently asked questions

No. @orion-design-system/components on npm has been identified as a malicious package (versions 9999.0.0, 9999.0.1, 9999.0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005266IN-MAL-2026-005277IN-MAL-2026-005272IN-MAL-2026-005271IN-MAL-2026-005278IN-MAL-2026-005265

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection