VYPR

npm · Malicious package advisory

Malware

@onerjs/procedural-textures

MAL-2026-4412

Malicious code in @onerjs/procedural-textures (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (0986739ab06b1514203d94938604b093b9ddfa2126a452ae0cc92795123a153a)
Package is published as @onerjs/procedural-textures but its metadata identifies it as the Babylon.js Procedural Textures Library: package.json declares homepage https://www.babylonjs.com and repository BabylonJS/Babylon.js, and readme.md is titled 'Babylon.js Procedural Textures Library'. The source is a 1:1 clone of @babylonjs/procedural-textures with every internal import rewritten from @babylonjs/core to @onerjs/core (e.g., brick/brickProceduralTexture.js: `import { __decorate } from "@onerjs/core/tslib.es6.js";`), and @onerjs/core is declared as a peerDependency. A developer installing this package expecting the Babylon.js procedural textures library will silently pull the lookalike @onerjs/core scope into their dependency tree. The lure package itself contains no exec or network code; the attack mechanism is the forced inclusion of an attacker-controlled core scope under the guise of a well-known 3D engine library.

Compromised versions (1)

  • 8.51.8

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.