npm · Malicious package advisory
Malware@onerjs/serializers
MAL-2026-4413
Malicious code in @onerjs/serializers (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (729400f12e8686271847d4633518c63363e156c251d18ede6f1d2e947aa2c0e0)
This package replicates the public API of @babylonjs/serializers and ships its source verbatim, but rewrites every internal import from @babylonjs/core to @onerjs/core (e.g., OBJ/objSerializer.js: `import { Matrix } from "@onerjs/core/Maths/math.vector.js";`) and declares @onerjs/core as a peerDependency (`"@onerjs/core":"^8.0.0"`). Package metadata further impersonates the upstream project: `homepage` is set to https://www.babylonjs.com and `repository` to https://github.com/BabylonJS/Babylon.js.git, neither of which is owned by the @onerjs publisher. The README instructs users to `npm install --save @babylonjs/core @babylonjs/serializers`, mismatched with the actual @onerjs scope being shipped. The package itself contains no install hooks or runtime exfiltration, but installing or depending on it forces the installer to also resolve @onerjs/core — an attacker-controlled namespace that is the actual delivery vehicle. The combination of verbatim-API replication, namespace-rewritten imports, impersonated upstream metadata, and a typosquat peer dependency is the structural fingerprint of a namespace-abuse lure.
Compromised versions (1)
- 8.52.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.