AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious behavior in the npm source, but install-time remote binary download creates unresolved supply-chain risk. The CLI later executes that downloaded binary when user runs ccb, ask, autonew, or ctx-transfer.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; CLI invocation runs downloaded executable
Impact
Remote release artifact gains local code execution if the release/checksum source is compromised or overridden by environment.
Mechanism
install-time GitHub release binary downloader and CLI launcher
Attack narrative
The package is a thin npm installer/launcher for CCB. On postinstall it selects a platform tarball, downloads it plus SHA256SUMS from the project GitHub release URL, verifies the archive against the downloaded checksum, extracts it under .ccb-release, and the bin wrappers spawn the extracted commands. This is package-aligned but leaves the actual executable outside the inspected npm source.
Rationale
Static source inspection does not show concrete malicious behavior, credential theft, or covert endpoints. Because installation fetches and stages an executable from a remote release rather than shipping inspectable source, this should warn rather than block.
Evidence
package.jsonbin/ccb-npm-install.jsbin/ccb-npm-runner.jsbin/ccb.jsbin/ask.jsbin/autonew.jsbin/ctx-transfer.jsREADME.md.ccb-releaseos.tmpdir()/ccb-npm-*
Network endpoints1
github.com/SeemSeam/claude_codex_bridge/releases/download/v8.0.12
Decision evidence
public snapshotAI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json defines postinstall: node bin/ccb-npm-install.js
- bin/ccb-npm-install.js downloads release tarball and SHA256SUMS over HTTPS during install
- Downloaded archive is extracted into .ccb-release and later executed by CLI wrappers
Evidence against
- Network URL is package-aligned GitHub release path for claude_codex_bridge
- Checksum is verified before extraction, though checksum is fetched from same release base URL
- bin/*.js wrappers only call ccb-npm-runner for named CLI commands
- No source evidence of credential harvesting, destructive project traversal, persistence, or covert exfiltration
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
CopyleftLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node bin/ccb-npm-install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgbin/ask.jsView file
3L4: require("./ccb-npm-runner").run("ask");
Medium
Dynamic Require
Package source references dynamic require/import behavior.
bin/ask.jsView on unpkg · L3Findings
1 High4 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumDynamic Requirebin/ask.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License