registry  /  @onescience/onecode  /  1.14.50-202607011624

@onescience/onecode@1.14.50-202607011624

OneScience AI coding agent for the terminal.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Install-time bootstrap fetches and installs a remote native CLI binary over HTTPS with certificate verification disabled. The downloaded executable is staged in the package and later run by the user-invoked onecode bin wrapper.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install/postinstall; later onecode CLI invocation
Impact
Unverified remote binary supply-chain risk; no confirmed exfiltration or agent control hijack in inspected source
Mechanism
install-time remote platform binary download and link
Attack narrative
On install, the package checks for a matching platform binary, downloads a versioned tgz from a hardcoded IP endpoint if missing, extracts it with tar, places it under node_modules, links it to bin/.onecode, and stamps the installed version. The wrapper later spawns that binary when the user runs onecode.
Rationale
The package contains a real install-time remote binary staging path with TLS verification disabled, which is unresolved supply-chain risk. Inspected source does not show credential theft, persistence outside the package, destructive actions, or unconsented foreign AI-agent control-surface mutation, so this is warn-level rather than publish-block malware.
Evidence
package.jsonpostinstall.mjsplatform-bootstrap.mjsbin/onecodebin/.onecodenode_modules/onecode-linux-x64node_modules/onecode-darwin-x64node_modules/onecode-darwin-arm64.platform-version.platform-bootstrap-work
Network endpoints1
218.90.133.98:4443/onecode_tgz

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node ./postinstall.mjs
  • postinstall.mjs calls ensurePlatformBinary during install
  • platform-bootstrap.mjs downloads a platform tgz from https://218.90.133.98:4443/onecode_tgz
  • platform-bootstrap.mjs uses https.get with rejectUnauthorized:false
  • platform-bootstrap.mjs extracts tgz and installs an executable into node_modules then links bin/.onecode
Evidence against
  • bin/onecode only resolves and spawns the installed onecode binary when user invokes the CLI
  • No credential harvesting, home-directory agent config writes, persistence hooks, or destructive behavior found in package JS
  • Network use is limited to fetching the package-aligned platform binary tgz
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 7.17 KB of source, external domains: 218.90.133.98

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings