MAL-2026-10717
Malicious code in @onescience/onecode (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (d334dd52244b44793af06be86dfd8d0de20ea8bb6d28cc1e4016b5fa45432578) The postinstall lifecycle script runs ensurePlatformBinary, which when the optionalDependency install fails to populate the platform package falls back to fetching a.tgz over HTTPS from a hardcoded bare-IP endpoint, https://218.90.133.98:4443/onecode_tgz/, with rejectUnauthorized:false disabling TLS certificate verification. The fetched archive is extracted with tar, the extracted binary is chmod 0755 and hardlinked into bin/.onecode, and that binary becomes the CLI invoked as `onecode`. No hash or signature verification is performed, the host is a bare IP rather than a publisher-owned domain, and the URL always constructs `onecode-linux-x64-<version>.tgz` regardless of the detected platform/arch. Whoever controls the endpoint at 218.90.133.98:4443 — or any on-path attacker, given TLS verification is disabled — can deliver arbitrary executable content to any installer whose optional platform dependency fails to install.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @onescience/onecode (npm). Pin to a known-safe version or switch to an alternative.