registry  /  @onescience/onecode  /  1.14.50-202607011517

@onescience/onecode@1.14.50-202607011517

OneScience AI coding agent for the terminal.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The package performs unauthenticated install-time native binary delivery from a raw IP endpoint. The downloaded binary is extracted and wired into the package CLI without an integrity check.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall lifecycle, then onecode CLI execution
Impact
Remote endpoint or MITM can supply the executable later invoked by users as onecode.
Mechanism
install-time remote binary download and execution wrapper
Attack narrative
On install, postinstall.mjs downloads a platform tgz from a hardcoded IP over HTTPS while disabling certificate validation, extracts it with tar, places it under package-local node_modules, and links/copies the binary to bin/.onecode. The public bin/onecode wrapper then spawns that installed binary for user commands.
Rationale
This is concrete install-time remote executable staging from an unauthenticated endpoint with no observed integrity verification. Although the behavior is package-aligned for a native CLI and not an AI-agent control hijack, the delivery path is unsafe enough to block.
Evidence
package.jsonpostinstall.mjsbin/onecode.postinstall-worknode_modules/onecode-<platform>-<arch>bin/.onecode
Network endpoints1
218.90.133.98:4443/onecode_tgz

Decision evidence

public snapshot
AI called this Malicious at 94.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json runs install-time hook: node ./postinstall.mjs
  • postinstall.mjs downloads a platform tgz from https://218.90.133.98:4443/onecode_tgz
  • postinstall.mjs disables TLS certificate verification with rejectUnauthorized:false
  • postinstall.mjs extracts the downloaded tgz and installs/chmods a binary during postinstall
  • bin/onecode executes the installed/cached binary and allows override via ONECODE_BIN_PATH or OPENCODE_BIN_PATH
Evidence against
  • No credential harvesting, home-agent config writes, persistence hooks, or destructive file operations found
  • Writes appear limited to package-local .postinstall-work, node_modules, and bin/.onecode
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 5.42 KB of source, external domains: 218.90.133.98

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings