registry  /  @stevenzxs/ccharness  /  1.0.1

@stevenzxs/ccharness@1.0.1

ccharness CLI — interactive AI coding assistant in the terminal

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is a repackaged Claude-Code-like CLI with broad user-invoked agent capabilities. The confirmed unresolved risk is a prepare lifecycle command that changes Git hook configuration, but no install-time foreign AI-agent hijack or exfiltration path was confirmed.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Running npm prepare/git dependency install or invoking the ccharness CLI.
Impact
Potential repository hook configuration change during prepare; runtime capabilities are expected for an AI coding CLI and gated/user-configured in inspected paths.
Mechanism
prepare-time Git hooksPath mutation plus user-invoked AI agent tooling
Rationale
Source inspection supports a warning for prepare-only VCS hook setup and broad user-invoked agent functionality, not a publish block. Scanner exfiltration/phishing hits resolve to bundled cloud/auth SDK and Claude Code auth/telemetry flows rather than a malicious data path.
Evidence
package.jsondist/cli.jsdist/chunk-a07hgnvm.jsdist/chunk-jb95wx8d.jsdist/chunk-2whhcyfm.jsdist/chunk-pfxrg89f.jsdist/chunk-ta4rpce6.jsdist/chunk-sbe835v8.js

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json prepare runs `git config core.hooksPath .githooks`, mutating repo Git hook configuration when prepare is executed.
  • package.json exposes bin commands `ccharness`/`cc-harness` to dist/cli.js, an AI coding assistant with shell/MCP/plugin capabilities.
  • dist/chunk-a07hgnvm.js can run user-configured apiKeyHelper/awsAuthRefresh/gcpAuthRefresh commands, guarded by workspace trust for project/local settings.
Evidence against
  • No preinstall/install/postinstall hook; lifecycle execution is prepare/prepublishOnly rather than consumer install-time mutation.
  • No concrete credential exfiltration found; highlighted auth code sends provider credentials to Anthropic/AWS/GCP/Azure auth flows or stores local Claude credentials.
  • dist/chunk-jb95wx8d.js is bundled @azure/identity code, not browser credential phishing logic.
  • dist/chunk-2whhcyfm.js eval is bundled OpenTelemetry dynamic require fallback.
  • Runtime network endpoints found are package-aligned Claude/Anthropic, GrowthBook, OpenTelemetry localhost, or cloud provider SDK endpoints.
  • No prompt/reviewer manipulation or destructive payload found in inspected entrypoints/chunks.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 456 file(s), 19.7 MB of source, external domains: 1.1.1.1, 127.0.0.1, 169.254.169.254, 169.254.170.2, a.co, accounts.google.com, aiplatform.googleapis.com, aka.ms, anthropic.com, api-staging.anthropic.com, api.anthropic.com, app.corridor.dev, apps.apple.com, aws.amazon.com, beacon.claude-ai.staging.ant.dev, cdn.growthbook.io, clau.de, claude-ai.staging.ant.dev, claude-staging.fedstart.com, claude.ai, claude.com, claude.fedstart.com, cli.github.com, cloud.google.com, cloudresourcemanager.googleapis.com, code.claude.com, cognito-identity-fips.us-east-1.amazonaws.com, cognito-identity-fips.us-east-2.amazonaws.com, cognito-identity-fips.us-west-1.amazonaws.com, cognito-identity-fips.us-west-2.amazonaws.com, cognito-identity.amazonaws.com, docs.anthropic.com, docs.aws.amazon.com, docs.claude.com, docs.expo.dev, example.com, fonts.googleapis.com, git-scm.com, github.com, grpc.io, hooks.example.com, http-intake.logs.us5.datadoghq.com, json-schema.org, json.schemastore.org, learn.microsoft.com, login.chinacloudapi.cn, login.microsoftonline.com, login.microsoftonline.de, login.microsoftonline.us, login.windows-ppe.net
Oversized source lightweight scan
dist/chunk-b6gc8vws.js5.86 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellHighEntropyStrings

Source & flagged code

13 flagged · loading source
dist/chunk-jb95wx8d.jsView file
28(function(AzureAuthorityHosts2) { L29: AzureAuthorityHosts2["AzureChina"] = "https://login.chinacloudapi.cn"; L30: AzureAuthorityHosts2["AzureGermany"] = "https://login.microsoftonline.de"; ... L194: try { L195: const oauthErrorResponse = JSON.parse(errorBody); L196: errorResponse = [redacted](oauthErrorResponse); ... L207: error: "unknown_error", L208: errorDescription: `An unknown error has occurred. Response body: L209: ... L255: function log(message, ...args) { L256: process2.stderr.write(`${util.format(message, ...args)}${EOL}`); L257: }
Critical
Browser Credential Phishing

Source appears to collect browser login credentials for exfiltration.

dist/chunk-jb95wx8d.jsView on unpkg · L28
28(function(AzureAuthorityHosts2) { L29: AzureAuthorityHosts2["AzureChina"] = "https://login.chinacloudapi.cn"; L30: AzureAuthorityHosts2["AzureGermany"] = "https://login.microsoftonline.de"; ... L194: try { L195: const oauthErrorResponse = JSON.parse(errorBody); L196: errorResponse = [redacted](oauthErrorResponse); ... L207: error: "unknown_error", L208: errorDescription: `An unknown error has occurred. Response body: L209: ... L255: function log(message, ...args) { L256: process2.stderr.write(`${util.format(message, ...args)}${EOL}`); L257: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/chunk-jb95wx8d.jsView on unpkg · L28
1131patternName = generic_password severity = medium line = 1131 matchedText = passwo...
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/chunk-jb95wx8d.jsView on unpkg · L1131
28(function(AzureAuthorityHosts2) { L29: AzureAuthorityHosts2["AzureChina"] = "https://login.chinacloudapi.cn"; L30: AzureAuthorityHosts2["AzureGermany"] = "https://login.microsoftonline.de"; ... L194: try { L195: const oauthErrorResponse = JSON.parse(errorBody); L196: errorResponse = [redacted](oauthErrorResponse); ... L207: error: "unknown_error", L208: errorDescription: `An unknown error has occurred. Response body: L209: ... L255: function log(message, ...args) { L256: process2.stderr.write(`${util.format(message, ...args)}${EOL}`); L257: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/chunk-jb95wx8d.jsView on unpkg · L28
dist/chunk-ta4rpce6.jsView file
4917var executable_response_1 = require_executable_response(); L4918: var childProcess = __require("child_process"); L4919: var fs = __require("fs");
High
Child Process

Package source references child process execution.

dist/chunk-ta4rpce6.jsView on unpkg · L4917
6import { L7: require_base64_js L8: } from "./chunk-8sdgr592.js"; ... L18: L19: // node_modules/.bun/gaxios@7.1.4/node_modules/gaxios/package.json L20: var require_package = __commonJS((exports, module) => { ... L263: return; L264: } else if (obj instanceof FormData || obj instanceof URLSearchParams || "forEach" in obj && "set" in obj) { L265: obj.forEach((_, key) => { ... L558: const noProxyList = [...noProxy]; L559: const noProxyEnvList = (process.env.NO_PROXY ?? process.env.no_proxy)?.split(",") || []; L560: for (const rule of noProxyEnvList) {
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/chunk-ta4rpce6.jsView on unpkg · L6
dist/chunk-pfxrg89f.jsView file
83import fs4, { constants as fsConstants } from "fs/promises"; L84: var wslDrivesMountPoint, powerShellPathFromWsl = async () => { L85: const mountPoint = await wslDrivesMountPoint();
High
Shell

Package source references shell execution.

dist/chunk-pfxrg89f.jsView on unpkg · L83
dist/chunk-2whhcyfm.jsView file
658try { L659: var mod = eval("quire".replace(/^/, "re"))(moduleName); L660: if (mod && (mod.length || Object.keys(mod).length))
High
Eval

Package source references dynamic code evaluation.

dist/chunk-2whhcyfm.jsView on unpkg · L658
dist/chunk-a07hgnvm.jsView file
113execSyncWithDefaults_DEPRECATED, L114: execa, L115: execaSync, ... L164: init_slowOperations, L165: isDebugToStdErr, L166: isENOENT, ... L273: import { L274: axios_default, L275: init_axios ... L526: if ("CI" in env2) { L527: if (["GITHUB_ACTIONS", "GITEA_ACTIONS", "CIRCLECI"].some((key) => (key in env2))) { L528: return 3;
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/chunk-a07hgnvm.jsView on unpkg · L113
113Trigger-reachable chain: manifest.bin -> dist/cli.js -> dist/chunk-5yc6h8kt.js -> dist/chunk-a07hgnvm.js L113: execSyncWithDefaults_DEPRECATED, L114: execa, L115: execaSync, ... L164: init_slowOperations, L165: isDebugToStdErr, L166: isENOENT, ... L273: import { L274: axios_default, L275: init_axios ... L526: if ("CI" in env2) { L527: if (["GITHUB_ACTIONS", "GITEA_ACTIONS", "CIRCLECI"].some((key) => (key in env2))) { L528: return 3;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/chunk-a07hgnvm.jsView on unpkg · L113
113execSyncWithDefaults_DEPRECATED, L114: execa, L115: execaSync, ... L164: init_slowOperations, L165: isDebugToStdErr, L166: isENOENT, ... L273: import { L274: axios_default, L275: init_axios ... L526: if ("CI" in env2) { L527: if (["GITHUB_ACTIONS", "GITEA_ACTIONS", "CIRCLECI"].some((key) => (key in env2))) { L528: return 3;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/chunk-a07hgnvm.jsView on unpkg · L113
dist/chunk-z92gmnjw.jsView file
257Cross-file remote execution chain: dist/chunk-z92gmnjw.js spawns dist/chunk-y5patg9p.js; helper contains network access plus dynamic code execution. L257: PASTE_THRESHOLD, L258: POWERSHELL_TOOL_NAME, L259: PROMPT_PREFIX, ... L1255: COMMAND_NAME_TAG, L1256: LOCAL_COMMAND_STDOUT_TAG, L1257: STATUS_TAG, ... L1332: import { L1333: axios_default, L1334: init_axios ... L1692: function startRestartInterval() { L1693: if (process.platform !== "darwin") { L1694: return;
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/chunk-z92gmnjw.jsView on unpkg · L257
dist/chunk-b6gc8vws.jsView file
path = dist/chunk-b6gc8vws.js kind = oversized_source_file sizeBytes = 6143586 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/chunk-b6gc8vws.jsView on unpkg

Findings

3 Critical7 High5 Medium8 Low
CriticalCredential Exfiltrationdist/chunk-a07hgnvm.js
CriticalBrowser Credential Phishingdist/chunk-jb95wx8d.js
CriticalTrigger Reachable Dangerous Capabilitydist/chunk-a07hgnvm.js
HighChild Processdist/chunk-ta4rpce6.js
HighShelldist/chunk-pfxrg89f.js
HighEvaldist/chunk-2whhcyfm.js
HighSandbox Evasion Gated Capabilitydist/chunk-jb95wx8d.js
HighCloud Metadata Accessdist/chunk-ta4rpce6.js
HighCross File Remote Execution Contextdist/chunk-z92gmnjw.js
HighOversized Source Filedist/chunk-b6gc8vws.js
MediumSecret Patterndist/chunk-jb95wx8d.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/chunk-a07hgnvm.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/chunk-jb95wx8d.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings