MAL-2026-4414
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@onerjs/smart-filters/MAL-2026-4414.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4414
- Withdrawn
- 2026-05-26T21:41:23Z
- Published
- 2026-05-21T02:06:13Z
- Modified
- 2026-05-27T00:31:58.072964476Z
- Summary
- Malicious code in @onerjs/smart-filters (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (66a4578e888bb6e53b7a5df17aa093931f6aff50773efd2634819294538217ab)
Package is published under the @onerjs scope but self-describes as 'Babylon.js Smart Filter core' with repository metadata pointing at github.com/BabylonJS/Babylon.js. The source is a verbatim copy of @babylonjs/smart-filters with every import of @babylonjs/core rewritten to @onerjs/core (e.g., dist/index.js line 13:
export { Logger } from "@onerjs/core/Misc/logger.js";), and package.json declarespeerDependencies: { "@onerjs/core": "^7.47.3 || ^8.0.1" }. The @onerjs scope is a one-character-edit homoglyph squat of the well-known @babylonjs scope (top-tier 3D engine), and installers who type or copy this name from a poisoned tutorial are forced to also install @onerjs/core — a separate sibling package outside this tarball that substitutes for the legitimate @babylonjs/core. This tarball's own code is a benign mirror of the upstream library; the supply-chain harm is the dependency redirection: any code shipped under @onerjs/core executes in the installer's environment in place of @babylonjs/core. The combined signal — scope-level homoglyph of a top-100 package + identity-claim mismatch (description and repo cite Babylon.js while scope does not) + forced peerDependency on a parallel typosquat package — is the namespace-abuse delivery fingerprint. - Database specific
{ "malicious-packages-origins": [ { "versions": [ "8.51.8" ], "modified_time": "2026-05-22T06:15:27Z", "sha256": "66a4578e888bb6e53b7a5df17aa093931f6aff50773efd2634819294538217ab", "id": "IN-MAL-2026-004145", "source": "amazon-inspector", "import_time": "2026-05-26T05:52:01.465255551Z" }, { "versions": [ "8.51.7" ], "modified_time": "2026-05-21T02:06:13Z", "sha256": "ca8088dc94ff21e3e3ed2b494dd91773bc8bf23f80b68dbb4ed14a1ef5fd1484", "id": "IN-MAL-2026-003702", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:08.494182113Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @onerjs/smart-filters
Package
- Name
- @onerjs/smart-filters
- View open source insights on deps.dev
- Purl
- pkg:npm/%40onerjs%2Fsmart-filters
Database specific
cwes
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
indicators
{
"package_integrity": [
{
"filename": "smart-filters-8.51.8.tgz",
"hashes": {
"sha512_sri": "sha512-7k2+XIpRIOwgyRdeF+v07aGqg5wJSa8zolO0wVOq+gu+8YnZTUhhKdGPdUlSwpylypVE7aJSVBp9S+nivPb0fQ==",
"sha1": "108a458bc38edfb6c45cb8bf85e29b9c805e31bc"
}
}
],
"evidence_files": [
{
"path": "package.json",
"tlsh": "c8318834c8692d7301c9a19558e99b46e27514475e84bc08339c506c0faf5af91ba3ac",
"sha256": "791c3939a60f0bae1fbdf37b65af6c26f0232f5e66773ab2ec9fba412965d08c"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@onerjs/smart-filters/MAL-2026-4414.json"