MAL-2026-4412

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@onerjs/procedural-textures/MAL-2026-4412.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4412

Withdrawn

2026-05-26T21:41:23Z

Published

2026-05-22T06:12:48Z

Modified

2026-05-27T00:32:02.581092125Z

Summary

Malicious code in @onerjs/procedural-textures (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0986739ab06b1514203d94938604b093b9ddfa2126a452ae0cc92795123a153a)

Package is published as @onerjs/procedural-textures but its metadata identifies it as the Babylon.js Procedural Textures Library: package.json declares homepage https://www.babylonjs.com and repository BabylonJS/Babylon.js, and readme.md is titled 'Babylon.js Procedural Textures Library'. The source is a 1:1 clone of @babylonjs/procedural-textures with every internal import rewritten from @babylonjs/core to @onerjs/core (e.g., brick/brickProceduralTexture.js: import { __decorate } from "@onerjs/core/tslib.es6.js";), and @onerjs/core is declared as a peerDependency. A developer installing this package expecting the Babylon.js procedural textures library will silently pull the lookalike @onerjs/core scope into their dependency tree. The lure package itself contains no exec or network code; the attack mechanism is the forced inclusion of an attacker-controlled core scope under the guise of a well-known 3D engine library.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "0986739ab06b1514203d94938604b093b9ddfa2126a452ae0cc92795123a153a",
            "source": "amazon-inspector",
            "modified_time": "2026-05-22T06:12:48Z",
            "versions": [
                "8.51.8"
            ],
            "id": "IN-MAL-2026-004142",
            "import_time": "2026-05-26T05:52:01.08328192Z"
        }
    ]
}

References

https://www.npmjs.com/package/@onerjs/procedural-textures/v/8.51.8

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @onerjs/procedural-textures

Package

Name: @onerjs/procedural-textures; View open source insights on deps.dev
Purl: pkg:npm/%40onerjs%2Fprocedural-textures

Affected ranges

Affected versions

8.*

8.51.8

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@onerjs/procedural-textures/MAL-2026-4412.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "03a041cb2df758f1b70881854e69e8b6c4b2fcae40bd41a5caa1c456a3965505",
            "tlsh": "e2216a38c8696cb71adea09494b95b82d56604674dc4bc0833ec502c4fbe43f21ba36d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-GO1m8MNTbsPTaTgHKFFddenJ9vzypX/3C+faH6u3HiEoVZzjemonb9/rLbamF0Wymd+eMPdiilnlV0FwksbqdA==",
                "sha1": "2b9f55d2a4ebfc925a08ece2a037574304ce58f9"
            },
            "filename": "procedural-textures-8.51.8.tgz"
        }
    ]
}