@onerjs/addons @8.52.3

--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (a7d3b8a435a56ca78d7a2f4ca7077b8a96f968d29e32dd01580fdf01cee442f5) Package is published as `@onerjs/addons` but ships a verbatim copy of `@babylonjs/addons` source while declaring Babylon.js identity in its metadata: `package.json` sets `homepage` to `https://www.babylonjs.com` and `repository.url` to `https://github.com/BabylonJS/Babylon.js.git`, and the README is titled `# Babylon.js Addons`. Every internal import of `@babylonjs/core` has been rewritten to `@onerjs/core` (e.g., `atmosphere/atmosphere.js` line 6: `import { Color3 } from "@onerjs/core/Maths/math.color.js";`), and `peerDependencies` declares `"@onerjs/core": "^8.0.0"`. The `@onerjs` scope is unrelated to Babylon.js or Microsoft. Installers who believe they are pulling Babylon.js addons will additionally install `@onerjs/core` from the same unrelated publisher, who can ship arbitrary code under the guise of Babylon.js core at any future version within the `^8.0.0` range. The lure package itself contains no lifecycle hooks or in-package exfil, but the structural design — identity impersonation plus a peerDependency redirect to a sibling package controlled by the same publisher — is namespace-abuse: the harm arrives through the rerouted dependency.

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.