registry  /  @threadbase-sh/streamer  /  1.22.2

@threadbase-sh/streamer@1.22.2

PTY session management, WebSocket streaming, and REST API server for Claude Code conversations

AI Security Review

scanned 7d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time attack surface was found. Residual risk is explicit/user-invoked Claude config seeding and PTY control of Claude sessions with acceptEdits.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
npm postinstall, explicit CLI server/session use, or direct seed-claude-config execution
Impact
Can run Claude sessions and, when explicitly invoked, mark a configured Claude project trusted; install hook only changes node-pty helper permissions.
Mechanism
dependency chmod plus first-party Claude PTY streaming/config seeding
Rationale
Source inspection supports a warning rather than a block: the npm postinstall is narrowly scoped to chmoding node-pty's helper, while the Claude config and update behaviors are explicit/runtime features. Because the package can modify Claude trust state when invoked, keep it flagged as agent extension lifecycle risk, not malicious malware.
Evidence
package.jsondist/index.cjsdist/cli.cjsdist/seed-claude-config.cjsnode_modules/node-pty/prebuilds/<platform>-<arch>/spawn-helper~/.threadbase/server.yaml$CLAUDE_CONFIG~/.claude/projects/<encoded-project>/<session>.jsonl~/.threadbase/releases~/.threadbase/current~/.threadbase/cli.js
Network endpoints6
api.github.comlocalhost:8081localhost:19006localhost:3000localhost:<port>ws://localhost:<port>/ws

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json postinstall chmods node-pty prebuild spawn-helper in dependency path
  • dist/index.cjs spawns Claude via node-pty with --permission-mode acceptEdits
  • dist/seed-claude-config.cjs can write CLAUDE_CONFIG to accept trust/onboarding for /data/.claude/projects
  • dist/cli.cjs has user-invoked update path fetching GitHub release assets
Evidence against
  • postinstall has no network, payload execution, or AI-agent config mutation
  • Claude config mutation is in explicit seed script, not npm install lifecycle
  • Update downloads verify manifest sha256/size and require update config or signed webhook secret
  • Network endpoints are package-aligned local server, GitHub updater, and localhost pairing
  • No credential harvesting or exfiltration flow found
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 1.34 MB of source, external domains: github.com, json-schema.org
Oversized source lightweight scan
dist/cli.cjs6.81 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoHighEntropyStrings

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "try{require('fs').chmodSync(require('path').join(require.resolve('node-pty'),'..','..','prebuilds',process.platform+'-'+process.arch,'spawn-helper'),0o755)}catch{}"
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "try{require('fs').chmodSync(require('path').join(require.resolve('node-pty'),'..','..','prebuilds',process.platform+'-'+process.arch,'spawn-helper'),0o755)}catch{}"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @threadbase-sh/streamer@1.24.4 matchedIdentity = npm:QHRocmVhZGJhc2Utc2gvc3RyZWFtZXI:1.24.4 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
483// src/process-discovery.ts L484: import { execFile } from "child_process"; L485: import { platform as platform2 } from "os";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L483
55} L56: function readAgentConfig(env = process.env) { L57: const enabled = isTruthy(env.MULTI_AGENT_FLOW); ... L160: try { L161: return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected)); L162: } catch { ... L179: const app = new Hono(); L180: app.post("/sessions/:sessionId/progress", async (c) => { L181: if (!deps.agentConfig.enabled) { ... L281: function configDir() { L282: return process.env.THREADBASE_CONFIG_DIR ?? join2(homedir(), ".threadbase"); L283: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L55
dist/index.cjsView file
101Cross-file remote execution chain: dist/index.cjs spawns dist/index.js; helper contains network access plus dynamic code execution. L101: } L102: function readAgentConfig(env = process.env) { L103: const enabled = isTruthy(env.MULTI_AGENT_FLOW); ... L206: try { L207: return import_node_crypto.default.timingSafeEqual(Buffer.from(signature), Buffer.from(expected)); L208: } catch { ... L225: const app = new import_hono.Hono(); L226: app.post("/sessions/:sessionId/progress", async (c) => { L227: if (!deps.agentConfig.enabled) { ... L327: function configDir() { L328: return process.env.THREADBASE_CONFIG_DIR ?? (0, import_path.join)((0, import_os.homedir)(), ".threadbase"); L329: }
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.cjsView on unpkg · L101
dist/cli.cjsView file
path = dist/cli.cjs kind = oversized_source_file sizeBytes = 7139736 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/cli.cjsView on unpkg
path = dist/cli.cjs kind = oversized_cli_entrypoint sizeBytes = 7139736 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/cli.cjsView on unpkg

Findings

2 Critical5 High4 Medium6 Low
CriticalRed Install Lifecycle Scriptpackage.json
CriticalPrevious Version Dangerous Deltadist/index.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/index.js
HighShell
HighCross File Remote Execution Contextdist/index.cjs
HighOversized Source Filedist/cli.cjs
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointdist/cli.cjs
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings