MAL-2026-4410

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@onerjs/addons/MAL-2026-4410.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4410

Withdrawn

2026-05-26T21:41:23Z

Published

2026-05-23T04:01:40Z

Modified

2026-05-27T00:32:02.451596785Z

Summary

Malicious code in @onerjs/addons (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a7d3b8a435a56ca78d7a2f4ca7077b8a96f968d29e32dd01580fdf01cee442f5)

Package is published as @onerjs/addons but ships a verbatim copy of @babylonjs/addons source while declaring Babylon.js identity in its metadata: package.json sets homepage to https://www.babylonjs.com and repository.url to https://github.com/BabylonJS/Babylon.js.git, and the README is titled # Babylon.js Addons. Every internal import of @babylonjs/core has been rewritten to @onerjs/core (e.g., atmosphere/atmosphere.js line 6: import { Color3 } from "@onerjs/core/Maths/math.color.js";), and peerDependencies declares "@onerjs/core": "^8.0.0". The @onerjs scope is unrelated to Babylon.js or Microsoft. Installers who believe they are pulling Babylon.js addons will additionally install @onerjs/core from the same unrelated publisher, who can ship arbitrary code under the guise of Babylon.js core at any future version within the ^8.0.0 range. The lure package itself contains no lifecycle hooks or in-package exfil, but the structural design — identity impersonation plus a peerDependency redirect to a sibling package controlled by the same publisher — is namespace-abuse: the harm arrives through the rerouted dependency.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-23T04:01:40Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:18.017427171Z",
            "id": "IN-MAL-2026-004283",
            "versions": [
                "8.52.1"
            ],
            "sha256": "40450be11588cc42f7e3c470a3c782ace90a2ec8a98e05343d6eda3787affafa"
        },
        {
            "modified_time": "2026-05-23T14:05:55Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:24.068453861Z",
            "id": "IN-MAL-2026-004335",
            "versions": [
                "8.52.3"
            ],
            "sha256": "a7d3b8a435a56ca78d7a2f4ca7077b8a96f968d29e32dd01580fdf01cee442f5"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @onerjs/addons

Package

Name: @onerjs/addons; View open source insights on deps.dev
Purl: pkg:npm/%40onerjs%2Faddons

Affected ranges

Affected versions

8.*

8.52.1

8.52.3

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@onerjs/addons/MAL-2026-4410.json"

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "addons-8.52.1.tgz",
            "hashes": {
                "sha1": "54d1bf66d65a5add7c784f636decf53185e6710f",
                "sha512_sri": "sha512-icJKLfibjut7US4pKASXxmcfYkmqnN8nWN+kNiGPyUOw4XKZIH99+K2Pb2NsarflQeh6o0snOMh6mDuzCbiYPw=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "e7213738c8662cb316dda5d898b95a82e16654574d84bc083bac902c4fae53f11ba36d",
            "path": "package.json",
            "sha256": "32482673e69e67602f313cb81056f007b9ef0b1d8e9add865918a336ded7ab19"
        }
    ]
}