Which versions of @orion-design-system/store are malicious?

The following npm versions of @orion-design-system/store are flagged malicious: 9999.0.0, 9999.0.1, 9999.0.2. Treat any of these as compromised.

How do I remediate @orion-design-system/store if I installed it?

Remove @orion-design-system/store from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @orion-design-system/store part of a known attack campaign?

Yes — @orion-design-system/store is associated with the IN-MAL-2026-005263, IN-MAL-2026-005276, IN-MAL-2026-005264, IN-MAL-2026-005273, IN-MAL-2026-005275, IN-MAL-2026-005274 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @orion-design-system/store in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @orion-design-system/store and packages like it before any post-install script runs.

Malicious package

@orion-design-system/storenpm

Malicious code in @orion-design-system/store (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5524

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @orion-design-system/store

What this malware does

package.json declares a preinstall script that runs on every npm install. The script uses node -e to require os and https, reads os.hostname() and os.userInfo().username, and exfiltrates them to d8kn5vlt5p5h1j34mbcgbx1nffwjobfoh.oast.fun (an Interactsh OAST callback host) via both an HTTPS GET with the values in the query string and a DNS lookup with the hostname embedded in the subdomain. The package combines this active exfiltration with a textbook Alex Birsan dependency-confusion shape: an internal-looking scope (@orion-design-system), an absurdly high version (9999.0.0) designed to win version resolution against a private registry, and a README that explicitly names the target organization (Cloud Imperium Games / Roberts Space Industries). Any build system misconfigured to resolve the public copy over a private internal package will leak host identifiers to the attacker-controlled OAST endpoint at install time. 'Authorized research' framing in the README does not neutralize the install-time payload — the script fires unconditionally on any installer that resolves this package.

Malicious versions

3 flagged

9999.0.09999.0.19999.0.2

Indicators of compromise (SHA-256)

18c29b2dcc4ee4794aa7b5a1199b5775d54d56eec361d95720af15dc1ddd7916

9815f5aa81bcd030a391df30c297ef8fdfe95111569b4d2b77e5aeba1d2183d9

1b337743ad6e42e473396da2514abe56ba198f0776eaf2c7583335007066472e

32e10728cad830e305f8b7884fd0577b993901223cb5e658620f73d397a3355c

4218505b74ba258cea12df713bbc27db9fa58d6660cf83e6d0c5fd8a9f68a4c2

69f8ac78836d4508d6c1647cceec0814cd41da0cdf862199e2e4b7d9dccb8944

Frequently asked questions

No. @orion-design-system/store on npm has been identified as a malicious package (versions 9999.0.0, 9999.0.1, 9999.0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005263IN-MAL-2026-005276IN-MAL-2026-005264IN-MAL-2026-005273IN-MAL-2026-005275IN-MAL-2026-005274

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection