registry  /  @stevenzxs/ccharness  /  2.1.888002

@stevenzxs/ccharness@2.1.888002

ccharness CLI — interactive AI coding assistant in the terminal

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time behavior was found. The remaining risk is runtime Claude-in-Chrome native host setup and bridge connectivity from an interactive AI assistant CLI.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the CLI with Claude-in-Chrome enabled or in an environment where the Chrome extension path is auto-enabled.
Impact
Can add a Chrome native messaging host for Claude Code and route browser-extension MCP traffic through Claude-aligned bridge services.
Mechanism
guarded native messaging host setup and Claude bridge WebSocket integration
Rationale
Static inspection did not confirm the scanner's claimed credential exfiltration or browser phishing; those hits are bundled cloud SDK/auth code or expected Claude CLI network/auth paths. Because the package can set up a browser native-host integration at runtime, warn rather than block.
Evidence
package.jsondist/cli.jsdist/chunk-374tvt0h.jsdist/chunk-b47b3hfe.jsdist/chunk-zvsevk48.jsdist/chunk-jb95wx8d.jspackage.json prepare: git core.hooksPath .githooksClaude config chrome/chrome-native-host wrapperChrome NativeMessagingHosts/com.anthropic.claude_code_browser_extension.jsonWindows native-host registry key for com.anthropic.claude_code_browser_extension
Network endpoints4
wss://bridge.claudeusercontent.comwss://bridge-staging.claudeusercontent.comclaude.ai/chromeclau.de/chrome/reconnect

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json has prepare: git config core.hooksPath .githooks, but no preinstall/install/postinstall hook.
  • dist/chunk-374tvt0h.js can create Claude-in-Chrome wrapper and native messaging host manifest at runtime.
  • dist/chunk-374tvt0h.js registers Windows native host keys for com.anthropic.claude_code_browser_extension.
  • dist/chunk-b47b3hfe.js can connect Chrome MCP bridge to wss://bridge.claudeusercontent.com and pass Claude OAuth token.
Evidence against
  • No install-time npm hook mutates broad AI-agent control surfaces; prepare is source/VCS lifecycle only.
  • dist/cli.js is a user-invoked Bun CLI entrypoint, with feature-gated Chrome/MCP/remote paths.
  • Scanner credential hits in dist/chunk-jb95wx8d.js are bundled Azure SDK auth classes, not package-authored exfiltration.
  • Scanner child_process/network hits are largely bundled SDKs or expected CLI/browser/MCP functionality.
  • No hardcoded non-package exfiltration endpoint or browser password harvesting code confirmed.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 456 file(s), 19.7 MB of source, external domains: 1.1.1.1, 127.0.0.1, 169.254.169.254, 169.254.170.2, a.co, accounts.google.com, aiplatform.googleapis.com, aka.ms, anthropic.com, api-staging.anthropic.com, api.anthropic.com, app.corridor.dev, apps.apple.com, aws.amazon.com, beacon.claude-ai.staging.ant.dev, cdn.growthbook.io, clau.de, claude-ai.staging.ant.dev, claude-staging.fedstart.com, claude.ai, claude.com, claude.fedstart.com, cli.github.com, cloud.google.com, cloudresourcemanager.googleapis.com, code.claude.com, cognito-identity-fips.us-east-1.amazonaws.com, cognito-identity-fips.us-east-2.amazonaws.com, cognito-identity-fips.us-west-1.amazonaws.com, cognito-identity-fips.us-west-2.amazonaws.com, cognito-identity.amazonaws.com, docs.anthropic.com, docs.aws.amazon.com, docs.claude.com, docs.expo.dev, example.com, fonts.googleapis.com, git-scm.com, github.com, grpc.io, hooks.example.com, http-intake.logs.us5.datadoghq.com, json-schema.org, json.schemastore.org, learn.microsoft.com, login.chinacloudapi.cn, login.microsoftonline.com, login.microsoftonline.de, login.microsoftonline.us, login.windows-ppe.net
Oversized source lightweight scan
dist/chunk-tccn9978.js5.86 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellHighEntropyStrings

Source & flagged code

13 flagged · loading source
dist/chunk-jb95wx8d.jsView file
28(function(AzureAuthorityHosts2) { L29: AzureAuthorityHosts2["AzureChina"] = "https://login.chinacloudapi.cn"; L30: AzureAuthorityHosts2["AzureGermany"] = "https://login.microsoftonline.de"; ... L194: try { L195: const oauthErrorResponse = JSON.parse(errorBody); L196: errorResponse = [redacted](oauthErrorResponse); ... L207: error: "unknown_error", L208: errorDescription: `An unknown error has occurred. Response body: L209: ... L255: function log(message, ...args) { L256: process2.stderr.write(`${util.format(message, ...args)}${EOL}`); L257: }
Critical
Browser Credential Phishing

Source appears to collect browser login credentials for exfiltration.

dist/chunk-jb95wx8d.jsView on unpkg · L28
28(function(AzureAuthorityHosts2) { L29: AzureAuthorityHosts2["AzureChina"] = "https://login.chinacloudapi.cn"; L30: AzureAuthorityHosts2["AzureGermany"] = "https://login.microsoftonline.de"; ... L194: try { L195: const oauthErrorResponse = JSON.parse(errorBody); L196: errorResponse = [redacted](oauthErrorResponse); ... L207: error: "unknown_error", L208: errorDescription: `An unknown error has occurred. Response body: L209: ... L255: function log(message, ...args) { L256: process2.stderr.write(`${util.format(message, ...args)}${EOL}`); L257: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/chunk-jb95wx8d.jsView on unpkg · L28
1131patternName = generic_password severity = medium line = 1131 matchedText = passwo...
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/chunk-jb95wx8d.jsView on unpkg · L1131
28(function(AzureAuthorityHosts2) { L29: AzureAuthorityHosts2["AzureChina"] = "https://login.chinacloudapi.cn"; L30: AzureAuthorityHosts2["AzureGermany"] = "https://login.microsoftonline.de"; ... L194: try { L195: const oauthErrorResponse = JSON.parse(errorBody); L196: errorResponse = [redacted](oauthErrorResponse); ... L207: error: "unknown_error", L208: errorDescription: `An unknown error has occurred. Response body: L209: ... L255: function log(message, ...args) { L256: process2.stderr.write(`${util.format(message, ...args)}${EOL}`); L257: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/chunk-jb95wx8d.jsView on unpkg · L28
dist/chunk-ta4rpce6.jsView file
4917var executable_response_1 = require_executable_response(); L4918: var childProcess = __require("child_process"); L4919: var fs = __require("fs");
High
Child Process

Package source references child process execution.

dist/chunk-ta4rpce6.jsView on unpkg · L4917
6import { L7: require_base64_js L8: } from "./chunk-8sdgr592.js"; ... L18: L19: // node_modules/.bun/gaxios@7.1.4/node_modules/gaxios/package.json L20: var require_package = __commonJS((exports, module) => { ... L263: return; L264: } else if (obj instanceof FormData || obj instanceof URLSearchParams || "forEach" in obj && "set" in obj) { L265: obj.forEach((_, key) => { ... L558: const noProxyList = [...noProxy]; L559: const noProxyEnvList = (process.env.NO_PROXY ?? process.env.no_proxy)?.split(",") || []; L560: for (const rule of noProxyEnvList) {
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/chunk-ta4rpce6.jsView on unpkg · L6
dist/chunk-pfxrg89f.jsView file
83import fs4, { constants as fsConstants } from "fs/promises"; L84: var wslDrivesMountPoint, powerShellPathFromWsl = async () => { L85: const mountPoint = await wslDrivesMountPoint();
High
Shell

Package source references shell execution.

dist/chunk-pfxrg89f.jsView on unpkg · L83
dist/chunk-2whhcyfm.jsView file
658try { L659: var mod = eval("quire".replace(/^/, "re"))(moduleName); L660: if (mod && (mod.length || Object.keys(mod).length))
High
Eval

Package source references dynamic code evaluation.

dist/chunk-2whhcyfm.jsView on unpkg · L658
dist/chunk-a07hgnvm.jsView file
113execSyncWithDefaults_DEPRECATED, L114: execa, L115: execaSync, ... L164: init_slowOperations, L165: isDebugToStdErr, L166: isENOENT, ... L273: import { L274: axios_default, L275: init_axios ... L526: if ("CI" in env2) { L527: if (["GITHUB_ACTIONS", "GITEA_ACTIONS", "CIRCLECI"].some((key) => (key in env2))) { L528: return 3;
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/chunk-a07hgnvm.jsView on unpkg · L113
113Trigger-reachable chain: manifest.bin -> dist/cli.js -> dist/chunk-5yc6h8kt.js -> dist/chunk-a07hgnvm.js L113: execSyncWithDefaults_DEPRECATED, L114: execa, L115: execaSync, ... L164: init_slowOperations, L165: isDebugToStdErr, L166: isENOENT, ... L273: import { L274: axios_default, L275: init_axios ... L526: if ("CI" in env2) { L527: if (["GITHUB_ACTIONS", "GITEA_ACTIONS", "CIRCLECI"].some((key) => (key in env2))) { L528: return 3;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/chunk-a07hgnvm.jsView on unpkg · L113
113execSyncWithDefaults_DEPRECATED, L114: execa, L115: execaSync, ... L164: init_slowOperations, L165: isDebugToStdErr, L166: isENOENT, ... L273: import { L274: axios_default, L275: init_axios ... L526: if ("CI" in env2) { L527: if (["GITHUB_ACTIONS", "GITEA_ACTIONS", "CIRCLECI"].some((key) => (key in env2))) { L528: return 3;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/chunk-a07hgnvm.jsView on unpkg · L113
dist/chunk-y5patg9p.jsView file
99Cross-file remote execution chain: dist/chunk-y5patg9p.js spawns dist/chunk-b95s01h5.js; helper contains network access plus dynamic code execution. L99: 3. You might have more than one copy of React in the same app L100: See https://react.dev/link/invalid-hook-call for tips about how to debug and fix this problem.`); L101: return dispatcher.useMemoCache(size); ... L193: function detectFromColorFgBg() { L194: const colorfgbg = process.env["COLORFGBG"]; L195: if (!colorfgbg) ... L2370: // src/utils/fullscreen.ts L2371: import { spawnSync } from "child_process"; L2372: function isTmuxControlModeEnvHeuristic() { ... L2395: return; L2396: tmuxControlModeProbed = result.stdout.trim() === "1"; L2397: }
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/chunk-y5patg9p.jsView on unpkg · L99
dist/chunk-tccn9978.jsView file
path = dist/chunk-tccn9978.js kind = oversized_source_file sizeBytes = 6143650 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/chunk-tccn9978.jsView on unpkg

Findings

3 Critical7 High5 Medium8 Low
CriticalCredential Exfiltrationdist/chunk-a07hgnvm.js
CriticalBrowser Credential Phishingdist/chunk-jb95wx8d.js
CriticalTrigger Reachable Dangerous Capabilitydist/chunk-a07hgnvm.js
HighChild Processdist/chunk-ta4rpce6.js
HighShelldist/chunk-pfxrg89f.js
HighEvaldist/chunk-2whhcyfm.js
HighSandbox Evasion Gated Capabilitydist/chunk-jb95wx8d.js
HighCloud Metadata Accessdist/chunk-ta4rpce6.js
HighCross File Remote Execution Contextdist/chunk-y5patg9p.js
HighOversized Source Filedist/chunk-tccn9978.js
MediumSecret Patterndist/chunk-jb95wx8d.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/chunk-a07hgnvm.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/chunk-jb95wx8d.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings