@onerjs/addons @8.52.3

Summary

Package is published as @onerjs/addons but ships a verbatim copy of @babylonjs/addons source while declaring Babylon.js identity in its metadata: package.json sets homepage to https://www.babylonjs.com and repository.url to https://github.com/BabylonJS/Babylon.js.git , and the README is titled # Babylon.js Addons . Every internal import of @babylonjs/core has been rewritten to @onerjs/core (e.g., atmosphere/atmosphere.js line 6: import { Color3 } from "@onerjs/core/Maths/math.color.js"; ), and peerDependencies declares "@onerjs/core": "^8.0.0" . The @onerjs scope is unrelated to Babylon.js or Microsoft. Installers who believe they are pulling Babylon.js addons will additionally install @onerjs/core from the same unrelated publisher, who can ship arbitrary code under the guise of Babylon.js core at any future version within the ^8.0.0 range. The lure package itself contains no lifecycle hooks or in-package exfil, but the structural design — identity impersonation plus a peerDependency redirect to a sibling package controlled by the same publisher — is namespace-abuse: the harm arrives through the rerouted dependency.

Source: amazon-inspector (a7d3b8a435a56ca78d7a2f4ca7077b8a96f968d29e32dd01580fdf01cee442f5)