AI Security Review
scanned 2h ago · by lpm-firewall-aiInstall lifecycle fetches and stages a native executable from a hardcoded IP endpoint with TLS certificate validation disabled. The staged binary is then executed when the onecode CLI is invoked.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall, then user invokes onecode CLI
Impact
Unverified remote binary can define runtime behavior outside the inspected npm source.
Mechanism
install-time remote native binary download and CLI launcher spawn
Attack narrative
During postinstall, the package downloads a platform tarball from a hardcoded IP URL, disables TLS certificate verification, extracts it, and stages a chmodded native binary as bin/.onecode. The package wrapper later spawns that binary for CLI use. Source inspection found no exfiltration or foreign AI-agent control-surface mutation, but the binary payload is remote and unauthenticated from the npm source package.
Rationale
The package has a real install-time remote payload risk because it stages a native executable from an IP endpoint with certificate verification disabled, but inspected source does not show concrete exfiltration, persistence, or agent control hijack. Treat as suspicious remote payload staging rather than confirmed malware.
Evidence
package.jsonpostinstall.mjsbin/onecodebin/.onecodenode_modules/onecode-<platform>-<arch>/tmp/onecode-<platform>-<arch>-<version>.tgz/tmp/onecode-<platform>-<arch>-<version>-extract
Network endpoints1
218.90.133.98:4443/onecode_tgz
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json runs postinstall: node ./postinstall.mjs
- postinstall.mjs downloads a platform tgz from https://218.90.133.98:4443/onecode_tgz
- postinstall.mjs sets rejectUnauthorized:false for HTTPS download
- postinstall.mjs extracts the downloaded tgz with tar and installs/chmods bin/.onecode
- bin/onecode spawns the resolved native binary and forwards CLI args
Evidence against
- No credential/env harvesting beyond binary path/download base env vars observed
- No writes to Claude/Codex/Cursor/MCP or other agent control-surface config observed
- No persistence hooks, shell startup edits, VCS hooks, or autostart entries observed
- Network endpoint is package-aligned binary distribution, not observed exfiltration
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./postinstall.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ./postinstall.mjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings