MAL-2026-4411

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@onerjs/inspector/MAL-2026-4411.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4411

Withdrawn

2026-05-26T21:41:23Z

Published

2026-05-23T10:27:40Z

Modified

2026-05-27T00:32:02.574435706Z

Summary

Malicious code in @onerjs/inspector (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (08c3c6c201db840a5576941656934704b0932abe72527c5e85b969fd90ad0ccd)

Package name, version (8.52.2), README, homepage and repository all impersonate @babylonjs/inspector. The shipped code is a ~700-byte UMD wrapper that re-exports require('@babylonjs/inspector') — functionally a thin shim providing cover for the impersonation. The harmful mechanism is in package.json: peerDependencies redirect every @babylonjs/* dependency (core, gui, addons, loaders, materials, serializers, gui-editor) to @onerjs/* lookalikes pinned to ^8.0.0. Installers following the README — which instructs npm install @babylonjs/core @babylonjs/inspector — pull this package and then must satisfy @onerjs/core, @onerjs/gui, etc., all of which resolve to packages in an attacker-controlled scope unrelated to the legitimate BabylonJS publisher. Whatever code those sibling @onerjs/* packages contain (now or in any future version, since the constraint is a caret range) will execute in the installer's environment. The wrapper itself ships no install hooks, network code, or credential access; the supply-chain harm is the forced pull-in of the parallel namespace.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "08c3c6c201db840a5576941656934704b0932abe72527c5e85b969fd90ad0ccd",
            "id": "IN-MAL-2026-004310",
            "source": "amazon-inspector",
            "modified_time": "2026-05-23T10:27:40Z",
            "versions": [
                "8.52.2"
            ],
            "import_time": "2026-05-26T05:52:21.123467711Z"
        }
    ]
}

References

https://www.npmjs.com/package/@onerjs/inspector/v/8.52.2

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @onerjs/inspector

Package

Name: @onerjs/inspector; View open source insights on deps.dev
Purl: pkg:npm/%40onerjs%2Finspector

Affected ranges

Affected versions

8.*

8.52.2

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@onerjs/inspector/MAL-2026-4411.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "tlsh": "72416978c5285cf311ce70989cba5643a46840db4dc1f8483b7da62c0f6d6af637536e",
            "sha256": "cfa0a522742183b0ec023a08685a68f6242e80b1bc57d4d9026229928380afde",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "inspector-8.52.2.tgz",
            "hashes": {
                "sha1": "87689ba732dd02d423c1f23bece536c6505e2841",
                "sha512_sri": "sha512-Cmr7NFRCcfS8O1QNEqXkMhL7BS3xTQAGVj74Jy9ltcalQhLI6w+CR7/IHiWO0PhlB5+Z2qRUOLUVx0hdYEvAAw=="
            }
        }
    ]
}