npm · Malicious package advisory
Malware@onerjs/procedural-textures
MAL-2026-4412
Malicious code in @onerjs/procedural-textures (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (0986739ab06b1514203d94938604b093b9ddfa2126a452ae0cc92795123a153a)
Package is published as @onerjs/procedural-textures but its metadata identifies it as the Babylon.js Procedural Textures Library: package.json declares homepage https://www.babylonjs.com and repository BabylonJS/Babylon.js, and readme.md is titled 'Babylon.js Procedural Textures Library'. The source is a 1:1 clone of @babylonjs/procedural-textures with every internal import rewritten from @babylonjs/core to @onerjs/core (e.g., brick/brickProceduralTexture.js: `import { __decorate } from "@onerjs/core/tslib.es6.js";`), and @onerjs/core is declared as a peerDependency. A developer installing this package expecting the Babylon.js procedural textures library will silently pull the lookalike @onerjs/core scope into their dependency tree. The lure package itself contains no exec or network code; the attack mechanism is the forced inclusion of an attacker-controlled core scope under the guise of a well-known 3D engine library.
Compromised versions (1)
- 8.51.8
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.