VDB
EN

MAL-2026-10717

Malicious code in @onescience/onecode (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d334dd52244b44793af06be86dfd8d0de20ea8bb6d28cc1e4016b5fa45432578) The postinstall lifecycle script runs ensurePlatformBinary, which when the optionalDependency install fails to populate the platform package falls back to fetching a.tgz over HTTPS from a hardcoded bare-IP endpoint, https://218.90.133.98:4443/onecode_tgz/, with rejectUnauthorized:false disabling TLS certificate verification. The fetched archive is extracted with tar, the extracted binary is chmod 0755 and hardlinked into bin/.onecode, and that binary becomes the CLI invoked as `onecode`. No hash or signature verification is performed, the host is a bare IP rather than a publisher-owned domain, and the URL always constructs `onecode-linux-x64-<version>.tgz` regardless of the detected platform/arch. Whoever controls the endpoint at 218.90.133.98:4443 — or any on-path attacker, given TLS verification is disabled — can deliver arbitrary executable content to any installer whose optional platform dependency fails to install.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / @onescience/onecode

No fixed version published yet for @onescience/onecode (npm). Pin to a known-safe version or switch to an alternative.

참고