AI Security Review
scanned 2h ago · by lpm-firewall-aiThe install hook fetches and installs an executable payload from a hardcoded IP endpoint with TLS verification disabled. The packaged CLI later runs that installed binary.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; invoking onecode runs the installed binary
Impact
Remote endpoint can supply arbitrary executable code outside npm package integrity controls
Mechanism
install-time unauthenticated remote binary download and execution wrapper
Attack narrative
On install, postinstall.mjs builds a URL under a hardcoded IP host, downloads a tarball with certificate verification disabled, extracts it, moves the extracted package into node_modules, chmods its native binary, and links or copies it to bin/.onecode. The public bin/onecode wrapper resolves that cached binary and spawns it with user arguments.
Rationale
This package delegates its installed executable to unauthenticated install-time network content, creating a concrete remote code execution supply-chain risk even though the wrapper is CLI-aligned. No source evidence shows credential theft or AI-agent control-surface hijacking.
Evidence
package.jsonpostinstall.mjsbin/onecodenode_modules/onecode-<platform>-<arch>bin/.onecode/tmp/onecode-<platform>-<arch>-<version>.tgz/tmp/onecode-<platform>-<arch>-<version>-extract
Network endpoints1
218.90.133.98:4443/onecode_tgz
Decision evidence
public snapshotAI called this Malicious at 88.0% confidence as Malware with low false-positive risk.
Evidence for block
- package.json runs postinstall: node ./postinstall.mjs
- postinstall.mjs downloads a tgz from https://218.90.133.98:4443/onecode_tgz during install
- postinstall.mjs uses https.get with rejectUnauthorized:false, disabling TLS certificate validation
- postinstall.mjs extracts downloaded archive with tar and installs/chmods bin/.onecode
- bin/onecode executes the installed/downloaded binary via child_process.spawn
Evidence against
- No credential harvesting, home-directory agent config writes, persistence hooks, or destructive filesystem behavior found in package source
- CLI wrapper behavior is package-aligned for a native binary tool
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./postinstall.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ./postinstall.mjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings