MAL-2026-10717
Malicious code in @onescience/onecode (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (d334dd52244b44793af06be86dfd8d0de20ea8bb6d28cc1e4016b5fa45432578) The postinstall lifecycle script runs ensurePlatformBinary, which when the optionalDependency install fails to populate the platform package falls back to fetching a.tgz over HTTPS from a hardcoded bare-IP endpoint, https://218.90.133.98:4443/onecode_tgz/, with rejectUnauthorized:false disabling TLS certificate verification. The fetched archive is extracted with tar, the extracted binary is chmod 0755 and hardlinked into bin/.onecode, and that binary becomes the CLI invoked as `onecode`. No hash or signature verification is performed, the host is a bare IP rather than a publisher-owned domain, and the URL always constructs `onecode-linux-x64-<version>.tgz` regardless of the detected platform/arch. Whoever controls the endpoint at 218.90.133.98:4443 — or any on-path attacker, given TLS verification is disabled — can deliver arbitrary executable content to any installer whose optional platform dependency fails to install.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for @onescience/onecode (npm). Pin to a known-safe version or switch to an alternative.