registry  /  @inulute/cux  /  0.3.0

@inulute/cux@0.3.0

Run multiple Claude Code accounts as one

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Installation downloads and marks executable a native binary that is not included in the reviewed source. The CLI subsequently executes that binary with user arguments and inherited environment.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install invokes postinstall; running cux invokes the downloaded binary.
Impact
A compromised or redirected release artifact can execute arbitrary code as the installing or CLI user.
Mechanism
remote native-binary bootstrap and execution
Rationale
No concrete malicious behavior is present in the reviewed JavaScript, but this install-time remote executable bootstrap leaves a material unresolved payload risk. Treat as a warning rather than a block because the behavior is documented and package-aligned, not stealthy foreign-control-surface mutation.
Evidence
package.jsoninstall.jsbin/cux.jsREADME.mdbin/cuxbin/cux.exebin/cux.sha256bin/cux.exe.sha256
Network endpoints2
github.com/inulute/cux/releases/download/v<version>/<asset>github.com/<CUX_RELEASE_REPO>/releases/download/v<version>/<asset>

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node install.js.
  • install.js downloads a platform binary during installation.
  • CUX_RELEASE_REPO can redirect downloads to another GitHub repository.
  • Checksum is downloaded from the same mutable release source.
  • bin/cux.js executes the downloaded binary with inherited environment.
Evidence against
  • Only five package files are present; no bundled opaque binary.
  • install.js has no credential harvesting, exfiltration, eval, or shell execution.
  • Source writes only the package-local bin artifact.
  • README.md documents the binary-download lifecycle and override.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
Manifest
CopyleftLicense
scanned 2 file(s), 8.23 KB of source, external domains: cux.inulute.com, github.com, support.inulute.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings
LowCopyleft License