npm

@onescience/onecode @1.14.50-202607161710

Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC

Malicious

OSV ID

MAL-2026-10717

Ecosystem

npm

Summary

The postinstall lifecycle script runs ensurePlatformBinary, which when the optionalDependency install fails to populate the platform package falls back to fetching a.tgz over HTTPS from a hardcoded bare-IP endpoint, https://218.90.133.98:4443/onecode_tgz/, with rejectUnauthorized:false disabling TLS certificate verification. The fetched archive is extracted with tar, the extracted binary is chmod 0755 and hardlinked into bin/.onecode, and that binary becomes the CLI invoked as onecode . No hash or signature verification is performed, the host is a bare IP rather than a publisher-owned domain, and the URL always constructs onecode-linux-x64-<version>.tgz regardless of the detected platform/arch. Whoever controls the endpoint at 218.90.133.98:4443 — or any on-path attacker, given TLS verification is disabled — can deliver arbitrary executable content to any installer whose optional platform dependency fails to install.

Source: amazon-inspector (d334dd52244b44793af06be86dfd8d0de20ea8bb6d28cc1e4016b5fa45432578)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.