AI Security Review
scanned 7h ago · by lpm-firewall-aiThe package is a thin npm wrapper that installs a release binary at npm install time. No malicious JS behavior is confirmed, but the actual installed executable is fetched from a remote release artifact not present in the package source.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall; later user-invoked bin commands
Impact
Remote native executable becomes available through package bin wrappers; behavior of that binary is not inspectable from this npm source package.
Mechanism
install-time remote binary download and extraction
Attack narrative
On install, the postinstall script selects a platform tarball, downloads it plus SHA256SUMS from the project GitHub release URL or an environment-provided base URL, verifies the archive checksum from that same release source, removes any existing package-local .ccb-release directory, and extracts the archive. CLI entrypoints later call the installed executable via a runner.
Rationale
Static inspection finds an install-time remote binary installer, which is risky for firewall policy because the executable payload is outside the npm source, but the visible JS does not show exfiltration, persistence, destructive behavior, or unconsented foreign AI-agent control-surface mutation. Mark as warn/suspicious rather than block.
Evidence
package.jsonbin/ccb-npm-install.jsbin/ccb-npm-runner.jsbin/ccb.jsbin/ask.jsbin/autonew.jsbin/ctx-transfer.js.ccb-releaseos.tmpdir()/ccb-npm-*
Network endpoints1
github.com/SeemSeam/claude_codex_bridge/releases/download/v8.0.15
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Unknown with low false-positive risk.
Evidence for warning
- package.json defines postinstall: node bin/ccb-npm-install.js
- bin/ccb-npm-install.js downloads platform tarball and SHA256SUMS from GitHub releases during install
- CCB_NPM_RELEASE_BASE_URL can redirect installer downloads to an arbitrary base URL
- install script extracts downloaded archive into package-local .ccb-release
Evidence against
- Downloaded archive is checked against SHA256SUMS before extraction
- bin/ask.js, bin/ccb.js, bin/autonew.js, and bin/ctx-transfer.js only invoke the shared runner
- No source-level credential harvesting, home-directory agent config writes, persistence hooks, or exfiltration code found
- Network endpoint is package-aligned with declared GitHub repository/releases
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
CopyleftLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node bin/ccb-npm-install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgbin/ask.jsView file
3L4: require("./ccb-npm-runner").run("ask");
Medium
Dynamic Require
Package source references dynamic require/import behavior.
bin/ask.jsView on unpkg · L3Findings
1 High4 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumDynamic Requirebin/ask.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License