AI Security Review
scanned 2h ago · by lpm-firewall-aiThe package uses an npm postinstall hook to fetch and install an executable platform payload from a raw IP endpoint with TLS verification disabled. This creates an install-time staged binary payload surface outside normal npm integrity controls.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install or package manager lifecycle script
Impact
A network or endpoint compromise can replace the installed onecode executable that users later run via the package bin.
Mechanism
postinstall remote tgz download, extraction, chmod, and launcher hardlink
Attack narrative
On install, package.json invokes postinstall.mjs, which imports platform-bootstrap.mjs. If a platform binary is not already present, it downloads a tgz from a hardcoded IP endpoint with certificate validation disabled, extracts it, chmods the binary, links it into bin/.onecode, and refreshes bundled asset symlinks. The bin launcher later spawns that installed executable.
Rationale
Source inspection confirms a lifecycle-triggered remote executable payload install from a non-registry IP endpoint with TLS verification disabled. Even without credential theft or immediate binary execution, this is a blockable staged payload carrier because the package installs unverified remote code during npm install.
Evidence
package.jsonpostinstall.mjsplatform-bootstrap.mjsbin/onecodebin/.onecodenode_modules/onecode-<platform>-<arch>node_modules/onecode-<platform>-<arch>/bin/onecode.platform-version.platform-bootstrap-work.opencode.oneskills
Network endpoints1
218.90.133.98:4443/onecode_tgz
Decision evidence
public snapshotAI called this Malicious at 88.0% confidence as Malware with low false-positive risk.
Evidence for block
- package.json runs postinstall: node ./postinstall.mjs
- postinstall.mjs calls ensurePlatformBinary during npm install
- platform-bootstrap.mjs downloads a platform tgz from https://218.90.133.98:4443/onecode_tgz when local binary is absent
- downloadFile uses https.get with rejectUnauthorized:false
- downloaded tgz is extracted with tar and installed under node_modules/onecode-<platform>-<arch>
- bin/onecode later spawns bin/.onecode or discovered platform binary
Evidence against
- No credential or environment harvesting found beyond binary path/download base overrides
- No home-directory agent control-surface writes found in JS launcher/bootstrap code
- No install-time execution of the downloaded binary observed; install stages and links it
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./postinstall.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ./postinstall.mjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings