AI Security Review
scanned 2h ago · by lpm-firewall-aiInstall-time bootstrap fetches and installs a remote native CLI binary over HTTPS with certificate verification disabled. The downloaded executable is staged in the package and later run by the user-invoked onecode bin wrapper.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install/postinstall; later onecode CLI invocation
Impact
Unverified remote binary supply-chain risk; no confirmed exfiltration or agent control hijack in inspected source
Mechanism
install-time remote platform binary download and link
Attack narrative
On install, the package checks for a matching platform binary, downloads a versioned tgz from a hardcoded IP endpoint if missing, extracts it with tar, places it under node_modules, links it to bin/.onecode, and stamps the installed version. The wrapper later spawns that binary when the user runs onecode.
Rationale
The package contains a real install-time remote binary staging path with TLS verification disabled, which is unresolved supply-chain risk. Inspected source does not show credential theft, persistence outside the package, destructive actions, or unconsented foreign AI-agent control-surface mutation, so this is warn-level rather than publish-block malware.
Evidence
package.jsonpostinstall.mjsplatform-bootstrap.mjsbin/onecodebin/.onecodenode_modules/onecode-linux-x64node_modules/onecode-darwin-x64node_modules/onecode-darwin-arm64.platform-version.platform-bootstrap-work
Network endpoints1
218.90.133.98:4443/onecode_tgz
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json runs postinstall: node ./postinstall.mjs
- postinstall.mjs calls ensurePlatformBinary during install
- platform-bootstrap.mjs downloads a platform tgz from https://218.90.133.98:4443/onecode_tgz
- platform-bootstrap.mjs uses https.get with rejectUnauthorized:false
- platform-bootstrap.mjs extracts tgz and installs an executable into node_modules then links bin/.onecode
Evidence against
- bin/onecode only resolves and spawns the installed onecode binary when user invokes the CLI
- No credential harvesting, home-directory agent config writes, persistence hooks, or destructive behavior found in package JS
- Network use is limited to fetching the package-aligned platform binary tgz
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./postinstall.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ./postinstall.mjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings