registry  /  @onescience/onecode  /  1.14.50-202607021504

@onescience/onecode@1.14.50-202607021504

OneScience AI coding agent for the terminal.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Install-time code can fetch an unverified platform binary tarball from a hardcoded IP endpoint with TLS certificate validation disabled. The downloaded payload is extracted and installed as the package CLI binary.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall lifecycle when platform package is missing
Impact
A remote server can supply executable code that becomes the onecode CLI without registry-published source or integrity protection.
Mechanism
install-time unverified remote binary download and staging
Attack narrative
During npm install, the postinstall script imports platform-bootstrap.mjs and ensures a platform binary exists. If not found locally, it constructs a tgz URL under a hardcoded IP host, downloads it with certificate verification disabled, extracts it with tar, chmods the binary, and links/copies it to bin/.onecode. That stages opaque executable code outside npm registry integrity guarantees.
Rationale
The source establishes a concrete install-time remote payload path with disabled TLS verification and no integrity check. Even without credential theft or immediate binary execution, this is a blockable staged executable payload carrier.
Evidence
package.jsonpostinstall.mjsplatform-bootstrap.mjsbin/onecodebin/.onecode.platform-version.platform-bootstrap-worknode_modules/onecode-linux-x64.opencode.oneskills
Network endpoints1
218.90.133.98:4443/onecode_tgz

Decision evidence

public snapshot
AI called this Malicious at 94.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json runs postinstall: node ./postinstall.mjs
  • postinstall.mjs calls ensurePlatformBinary() during npm lifecycle
  • platform-bootstrap.mjs downloads a platform tgz from https://218.90.133.98:4443/onecode_tgz when local binary is absent
  • downloadFile() uses https.get with rejectUnauthorized:false and no integrity/signature verification
  • downloaded tgz is extracted with execSync tar and linked/copied to bin/.onecode for later execution
Evidence against
  • No credential/env/file harvesting logic found in inspected JS files
  • No install-time execution of the downloaded onecode binary observed; execution occurs via the onecode bin wrapper
  • Filesystem writes are mostly under the package root/node_modules, not user home or shell startup files
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 8.91 KB of source, external domains: 218.90.133.98

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings