AI Security Review
scanned 2h ago · by lpm-firewall-aiThe npm postinstall hook can fetch and install an unauthenticated platform executable from a hardcoded IP endpoint. The binary payload is not included in the inspected source and is not integrity-checked before being installed as the CLI target.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall, then later onecode CLI execution
Impact
Remote endpoint or network attacker can supply the executable that becomes the package CLI binary.
Mechanism
install-time remote binary download without TLS validation or integrity check
Attack narrative
On install, package.json runs postinstall.mjs, which calls platform-bootstrap.mjs. If the platform package is absent, it downloads a versioned tgz from a hardcoded IP over HTTPS with certificate verification disabled, extracts it with tar, installs the binary under node_modules, chmods it executable, and links/copies it to bin/.onecode. The wrapper later spawns that binary for user CLI invocations.
Rationale
This package uses an npm lifecycle hook to install an opaque executable from a hardcoded remote IP with certificate validation disabled and no source-visible integrity check. That creates a concrete staged payload delivery path rather than a merely user-invoked package-aligned CLI bootstrap.
Evidence
package.jsonpostinstall.mjsplatform-bootstrap.mjsbin/onecodebin/.onecode.platform-version.platform-bootstrap-worknode_modules/onecode-<platform>-<arch>.opencode.oneskills
Network endpoints1
218.90.133.98:4443/onecode_tgz
Decision evidence
public snapshotAI called this Malicious at 88.0% confidence as Malware with low false-positive risk.
Evidence for block
- package.json defines postinstall: node ./postinstall.mjs
- postinstall.mjs calls ensurePlatformBinary during npm install
- platform-bootstrap.mjs downloads a platform tgz from https://218.90.133.98:4443/onecode_tgz when local binary is absent
- https.get uses rejectUnauthorized:false and no checksum/signature verification is present
- Downloaded tgz is extracted and its executable is chmodded and linked as bin/.onecode
- Installer writes package-root .opencode and .oneskills symlinks from the downloaded platform package
Evidence against
- bin/onecode mainly forwards CLI args to a resolved onecode binary
- No credential harvesting, destructive project/home traversal, or exfiltration logic found in the JavaScript wrapper files
- Agent asset symlinks are created inside the package root, not a foreign home/project AI-agent config path
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./postinstall.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ./postinstall.mjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings