MAL-2026-4415

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@onerjs/smart-filters-blocks/MAL-2026-4415.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4415

Withdrawn

2026-05-26T21:41:23Z

Published

2026-05-23T03:47:45Z

Modified

2026-05-27T00:32:02.632728359Z

Summary

Malicious code in @onerjs/smart-filters-blocks (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e772d7a844409df378591a5a587c7cc8045e0ec0e8cb493912f0da8fa594c169)

This package is published as @onerjs/smart-filters-blocks but its README, repository URL (git+https://github.com/BabylonJS/Babylon.js.git), description, file tree, and exported API are a verbatim copy of the legitimate @babylonjs/smart-filters-blocks. The scope has been swapped from @babylonjs to @onerjs while preserving every other identifier, which is the structural shape of a namespace-confusion attack against the Babylon.js ecosystem. The package.json declares "@onerjs/smart-filters": "8.51.9" as a dependency and "@onerjs/core" as a peer dependency — both are typosquats of @babylonjs/smart-filters and @babylonjs/core. Installing this package therefore forces resolution of the @onerjs/* sibling packages into the installer's dependency tree. Whatever code those siblings contain runs in the installer's environment when their lifecycle hooks fire or when they are required, and the attacker who registered the @onerjs scope controls those bytes. The leaf package itself may be a benign mirror, but the dependency-graph forcing of attacker-controlled siblings under a confusion-named scope is the supply-chain harm.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "8.51.9"
            ],
            "modified_time": "2026-05-23T03:47:45Z",
            "sha256": "e772d7a844409df378591a5a587c7cc8045e0ec0e8cb493912f0da8fa594c169",
            "id": "IN-MAL-2026-004282",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:17.908036139Z"
        },
        {
            "versions": [
                "8.52.4"
            ],
            "modified_time": "2026-05-26T07:12:35Z",
            "sha256": "92d0d2a93c731e47eda21ad9ab10b43f26244ec6ebecb28edc755a575b2321b2",
            "id": "IN-MAL-2026-004857",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T07:48:28.381589464Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @onerjs/smart-filters-blocks

Package

Name: @onerjs/smart-filters-blocks; View open source insights on deps.dev
Purl: pkg:npm/%40onerjs%2Fsmart-filters-blocks

Affected ranges

Affected versions

8.*

8.51.9

8.52.4

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-uWwAc9ncelMqUzYhTLHBvm1uSAvGUXvWKU6cLmslrd+Em5Kn96zYBA296T00Ok/JnInC6fNgkV43QLFB5lfngQ==",
                "sha1": "30a96706aafb70ff8e6fe62bb842511974846ec9"
            },
            "filename": "smart-filters-blocks-8.51.9.tgz"
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "tlsh": "c231cb38c9656db301c9a4949ce95742e276144b1d88bc0d33ac907c4faf57fa1be3ac",
            "sha256": "d97be89a3fb4230adee3e0704b20e494bd5e01d00f03763d10ccb7e7393e1507"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@onerjs/smart-filters-blocks/MAL-2026-4415.json"