registry  /  @onescience/onecode  /  1.14.50-202607010646

@onescience/onecode@1.14.50-202607010646

OneScience AI coding agent for the terminal.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The install hook fetches and installs an executable payload from a hardcoded IP endpoint with TLS verification disabled. The packaged CLI later runs that installed binary.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; invoking onecode runs the installed binary
Impact
Remote endpoint can supply arbitrary executable code outside npm package integrity controls
Mechanism
install-time unauthenticated remote binary download and execution wrapper
Attack narrative
On install, postinstall.mjs builds a URL under a hardcoded IP host, downloads a tarball with certificate verification disabled, extracts it, moves the extracted package into node_modules, chmods its native binary, and links or copies it to bin/.onecode. The public bin/onecode wrapper resolves that cached binary and spawns it with user arguments.
Rationale
This package delegates its installed executable to unauthenticated install-time network content, creating a concrete remote code execution supply-chain risk even though the wrapper is CLI-aligned. No source evidence shows credential theft or AI-agent control-surface hijacking.
Evidence
package.jsonpostinstall.mjsbin/onecodenode_modules/onecode-<platform>-<arch>bin/.onecode/tmp/onecode-<platform>-<arch>-<version>.tgz/tmp/onecode-<platform>-<arch>-<version>-extract
Network endpoints1
218.90.133.98:4443/onecode_tgz

Decision evidence

public snapshot
AI called this Malicious at 88.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json runs postinstall: node ./postinstall.mjs
  • postinstall.mjs downloads a tgz from https://218.90.133.98:4443/onecode_tgz during install
  • postinstall.mjs uses https.get with rejectUnauthorized:false, disabling TLS certificate validation
  • postinstall.mjs extracts downloaded archive with tar and installs/chmods bin/.onecode
  • bin/onecode executes the installed/downloaded binary via child_process.spawn
Evidence against
  • No credential harvesting, home-directory agent config writes, persistence hooks, or destructive filesystem behavior found in package source
  • CLI wrapper behavior is package-aligned for a native binary tool
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 4.95 KB of source, external domains: 218.90.133.98

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings