registry  /  @onescience/onecode  /  1.14.50-202607011501

@onescience/onecode@1.14.50-202607011501

OneScience AI coding agent for the terminal.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Install lifecycle fetches and stages a native executable from a hardcoded IP endpoint with TLS certificate validation disabled. The staged binary is then executed when the onecode CLI is invoked.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall, then user invokes onecode CLI
Impact
Unverified remote binary can define runtime behavior outside the inspected npm source.
Mechanism
install-time remote native binary download and CLI launcher spawn
Attack narrative
During postinstall, the package downloads a platform tarball from a hardcoded IP URL, disables TLS certificate verification, extracts it, and stages a chmodded native binary as bin/.onecode. The package wrapper later spawns that binary for CLI use. Source inspection found no exfiltration or foreign AI-agent control-surface mutation, but the binary payload is remote and unauthenticated from the npm source package.
Rationale
The package has a real install-time remote payload risk because it stages a native executable from an IP endpoint with certificate verification disabled, but inspected source does not show concrete exfiltration, persistence, or agent control hijack. Treat as suspicious remote payload staging rather than confirmed malware.
Evidence
package.jsonpostinstall.mjsbin/onecodebin/.onecodenode_modules/onecode-<platform>-<arch>/tmp/onecode-<platform>-<arch>-<version>.tgz/tmp/onecode-<platform>-<arch>-<version>-extract
Network endpoints1
218.90.133.98:4443/onecode_tgz

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node ./postinstall.mjs
  • postinstall.mjs downloads a platform tgz from https://218.90.133.98:4443/onecode_tgz
  • postinstall.mjs sets rejectUnauthorized:false for HTTPS download
  • postinstall.mjs extracts the downloaded tgz with tar and installs/chmods bin/.onecode
  • bin/onecode spawns the resolved native binary and forwards CLI args
Evidence against
  • No credential/env harvesting beyond binary path/download base env vars observed
  • No writes to Claude/Codex/Cursor/MCP or other agent control-surface config observed
  • No persistence hooks, shell startup edits, VCS hooks, or autostart entries observed
  • Network endpoint is package-aligned binary distribution, not observed exfiltration
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 4.95 KB of source, external domains: 218.90.133.98

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings