MAL-2026-4413

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@onerjs/serializers/MAL-2026-4413.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4413

Withdrawn

2026-05-26T21:41:23Z

Published

2026-05-23T04:02:46Z

Modified

2026-05-27T00:32:02.613434903Z

Summary

Malicious code in @onerjs/serializers (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (729400f12e8686271847d4633518c63363e156c251d18ede6f1d2e947aa2c0e0)

This package replicates the public API of @babylonjs/serializers and ships its source verbatim, but rewrites every internal import from @babylonjs/core to @onerjs/core (e.g., OBJ/objSerializer.js: import { Matrix } from "@onerjs/core/Maths/math.vector.js";) and declares @onerjs/core as a peerDependency ("@onerjs/core":"^8.0.0"). Package metadata further impersonates the upstream project: homepage is set to https://www.babylonjs.com and repository to https://github.com/BabylonJS/Babylon.js.git, neither of which is owned by the @onerjs publisher. The README instructs users to npm install --save @babylonjs/core @babylonjs/serializers, mismatched with the actual @onerjs scope being shipped. The package itself contains no install hooks or runtime exfiltration, but installing or depending on it forces the installer to also resolve @onerjs/core — an attacker-controlled namespace that is the actual delivery vehicle. The combination of verbatim-API replication, namespace-rewritten imports, impersonated upstream metadata, and a typosquat peer dependency is the structural fingerprint of a namespace-abuse lure.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-004284",
            "import_time": "2026-05-26T05:52:18.158002493Z",
            "source": "amazon-inspector",
            "versions": [
                "8.52.1"
            ],
            "modified_time": "2026-05-23T04:02:46Z",
            "sha256": "729400f12e8686271847d4633518c63363e156c251d18ede6f1d2e947aa2c0e0"
        }
    ]
}

References

https://www.npmjs.com/package/@onerjs/serializers/v/8.52.1

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @onerjs/serializers

Package

Name: @onerjs/serializers; View open source insights on deps.dev
Purl: pkg:npm/%40onerjs%2Fserializers

Affected ranges

Affected versions

8.*

8.52.1

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@onerjs/serializers/MAL-2026-4413.json"

indicators

{
    "package_integrity": [
        {
            "filename": "serializers-8.52.1.tgz",
            "hashes": {
                "sha1": "2fd4db07bd4266b7f22ae4cf761d71e719319c3a",
                "sha512_sri": "sha512-KqfaInUCwIptK0xxDfYeMV3YIsgE3T+Mni2DZHOCueP5/ScWn5lrBvG0LRnELaRQ+uW5NR8LF8ZIKX1BFhhu+g=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "e865c835926a211dca0c9d5b11ceae009e5bd0f78b109cf5c06f3c3da7bbcf95",
            "tlsh": "d4219d38c8662cb316ede1d498b95a82d165545b4dc4bc0c37ec502c4fae87f51ba76c"
        }
    ]
}