registry  /  @onescience/onecode  /  1.14.50-202607011608

@onescience/onecode@1.14.50-202607011608

OneScience AI coding agent for the terminal.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Install-time code can fetch and install a remote platform executable from a hardcoded IP endpoint without TLS certificate validation or integrity verification. This creates an unresolved staged payload risk, but no credential theft, persistence, or foreign agent control-surface mutation was found in the package JS.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall when platform package is absent or stale
Impact
Remote endpoint can supply the CLI executable installed into the package and later run by the onecode bin wrapper.
Mechanism
install-time unverified platform binary download and extraction
Attack narrative
On install, postinstall.mjs invokes platform-bootstrap.mjs. If the expected platform package is not already present for this version, it downloads a tgz from a hardcoded IP URL, disables TLS certificate validation, extracts it with tar, moves it into package-local node_modules, chmods the executable, and links it as bin/.onecode. The installed binary is then executed later by bin/onecode.
Rationale
Source inspection confirms a real install-time remote binary carrier with weak transport/integrity controls, but the reviewed JS does not itself execute the downloaded binary during install or show exfiltration, persistence, destructive behavior, or unconsented AI-agent control hijack. Treat as unresolved staged payload risk rather than confirmed malware.
Evidence
package.jsonpostinstall.mjsplatform-bootstrap.mjsbin/onecodenode_modules/onecode-<platform>-<arch>bin/.onecode.platform-version.platform-bootstrap-work
Network endpoints1
218.90.133.98:4443/onecode_tgz

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node ./postinstall.mjs
  • postinstall.mjs calls ensurePlatformBinary(rootDir) during install
  • platform-bootstrap.mjs downloads a tgz from https://218.90.133.98:4443/onecode_tgz when local platform package is missing
  • platform-bootstrap.mjs uses https.get with rejectUnauthorized:false and no checksum/signature verification
  • platform-bootstrap.mjs extracts the downloaded tgz and installs/chmods a platform executable under node_modules, then links bin/.onecode
Evidence against
  • No credential/env harvesting or exfiltration found in inspected JS
  • No writes to Claude/Codex/Cursor/MCP or other foreign AI-agent control surfaces found
  • bin/onecode is a runtime wrapper that resolves a local/env platform binary and forwards argv/signals
  • Lifecycle writes are confined to package-local node_modules, .platform-bootstrap-work, .platform-version, and bin/.onecode
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 7.17 KB of source, external domains: 218.90.133.98

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings