@onerjs/procedural-textures @8.51.8
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4412
Ecosystem
npm
Summary
Package is published as @onerjs/procedural-textures but its metadata identifies it as the Babylon.js Procedural Textures Library: package.json declares homepage https://www.babylonjs.com and repository BabylonJS/Babylon.js, and readme.md is titled 'Babylon.js Procedural Textures Library'. The source is a 1:1 clone of @babylonjs/procedural-textures with every internal import rewritten from @babylonjs/core to @onerjs/core (e.g., brick/brickProceduralTexture.js: import { __decorate } from "@onerjs/core/tslib.es6.js"; ), and @onerjs/core is declared as a peerDependency. A developer installing this package expecting the Babylon.js procedural textures library will silently pull the lookalike @onerjs/core scope into their dependency tree. The lure package itself contains no exec or network code; the attack mechanism is the forced inclusion of an attacker-controlled core scope under the guise of a well-known 3D engine library.
Source: amazon-inspector (0986739ab06b1514203d94938604b093b9ddfa2126a452ae0cc92795123a153a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.