{"id":"MAL-2026-4411","summary":"Malicious code in @onerjs/inspector (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (08c3c6c201db840a5576941656934704b0932abe72527c5e85b969fd90ad0ccd)\nPackage name, version (8.52.2), README, homepage and repository all impersonate @babylonjs/inspector. The shipped code is a ~700-byte UMD wrapper that re-exports require('@babylonjs/inspector') — functionally a thin shim providing cover for the impersonation. The harmful mechanism is in package.json: peerDependencies redirect every @babylonjs/* dependency (core, gui, addons, loaders, materials, serializers, gui-editor) to @onerjs/* lookalikes pinned to ^8.0.0. Installers following the README — which instructs `npm install @babylonjs/core @babylonjs/inspector` — pull this package and then must satisfy @onerjs/core, @onerjs/gui, etc., all of which resolve to packages in an attacker-controlled scope unrelated to the legitimate BabylonJS publisher. Whatever code those sibling @onerjs/* packages contain (now or in any future version, since the constraint is a caret range) will execute in the installer's environment. The wrapper itself ships no install hooks, network code, or credential access; the supply-chain harm is the forced pull-in of the parallel namespace.\n","modified":"2026-05-27T00:32:02.574435706Z","published":"2026-05-23T10:27:40Z","withdrawn":"2026-05-26T21:41:23Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-004310","import_time":"2026-05-26T05:52:21.123467711Z","modified_time":"2026-05-23T10:27:40Z","sha256":"08c3c6c201db840a5576941656934704b0932abe72527c5e85b969fd90ad0ccd","source":"amazon-inspector","versions":["8.52.2"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@onerjs/inspector/v/8.52.2"}],"affected":[{"package":{"name":"@onerjs/inspector","ecosystem":"npm","purl":"pkg:npm/%40onerjs%2Finspector"},"versions":["8.52.2"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@onerjs/inspector/MAL-2026-4411.json","cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"tlsh":"72416978c5285cf311ce70989cba5643a46840db4dc1f8483b7da62c0f6d6af637536e","path":"package.json","sha256":"cfa0a522742183b0ec023a08685a68f6242e80b1bc57d4d9026229928380afde"}],"package_integrity":[{"filename":"inspector-8.52.2.tgz","hashes":{"sha1":"87689ba732dd02d423c1f23bece536c6505e2841","sha512_sri":"sha512-Cmr7NFRCcfS8O1QNEqXkMhL7BS3xTQAGVj74Jy9ltcalQhLI6w+CR7/IHiWO0PhlB5+Z2qRUOLUVx0hdYEvAAw=="}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}