@onerjs/serializers @8.52.1

Summary

This package replicates the public API of @babylonjs/serializers and ships its source verbatim, but rewrites every internal import from @babylonjs/core to @onerjs/core (e.g., OBJ/objSerializer.js: import { Matrix } from "@onerjs/core/Maths/math.vector.js"; ) and declares @onerjs/core as a peerDependency ( "@onerjs/core":"^8.0.0" ). Package metadata further impersonates the upstream project: homepage is set to https://www.babylonjs.com and repository to https://github.com/BabylonJS/Babylon.js.git, neither of which is owned by the @onerjs publisher. The README instructs users to npm install --save @babylonjs/core @babylonjs/serializers , mismatched with the actual @onerjs scope being shipped. The package itself contains no install hooks or runtime exfiltration, but installing or depending on it forces the installer to also resolve @onerjs/core — an attacker-controlled namespace that is the actual delivery vehicle. The combination of verbatim-API replication, namespace-rewritten imports, impersonated upstream metadata, and a typosquat peer dependency is the structural fingerprint of a namespace-abuse lure.

Source: amazon-inspector (729400f12e8686271847d4633518c63363e156c251d18ede6f1d2e947aa2c0e0)