registry  /  cac-windows  /  1.0.10

cac-windows@1.0.10

Claude Code Windows environment manager — identity isolation, fingerprint spoofing, timezone alignment.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. On Windows npm postinstall, the package alters the globally installed Claude Code runtime without an explicit user command. Its runtime wrapper can inject network-interception hooks into Claude Code processes and suppress selected telemetry/health-check behavior.

Static reason
One or more suspicious static signals were detected.; source matched previously finalized malicious package; routed for review; previous stored version diff introduced dangerous source
Trigger
Installing `cac-windows` with npm on Windows.
Impact
Mutates a foreign AI-agent executable and can change its network and identity behavior across subsequent Claude Code runs.
Mechanism
postinstall global AI-agent installation, binary patching, and wrapper-based hook injection
Policy narrative
The package's automatic Windows postinstall installs or invokes a separately owned Claude Code distribution, then patches the installed binary or JavaScript in place to alter timezone logic. Its generated wrappers inject process hooks that intercept DNS, sockets, TLS, and fetch; the shipped guard blocks telemetry destinations and fabricates success for Claude Code's API health check. These changes occur without the user first running the package's setup command and target a broad foreign AI-agent control surface.
Rationale
Direct inspection confirms unconsented postinstall mutation of global Claude Code installation files plus runtime network-control injection. This meets the firewall block boundary for foreign/broad AI-agent control-surface mutation.
Evidence
package.jsonscripts/postinstall.jscac-dns-guard.jscac.ps1@anthropic-ai/claude-code/install.cjs@anthropic-ai/claude-code/bin/claude.exe@anthropic-ai/claude-code/cli.js%USERPROFILE%\.cac\bin\claude.cmd%USERPROFILE%\.cac\bin\claude.ps1
Network endpoints2
registry.npmjs.orgapi.anthropic.com/api/hello

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` defines `postinstall`.
  • `scripts/postinstall.js` silently installs global `@anthropic-ai/claude-code@2.1.202` on Windows.
  • The lifecycle hook runs that package's `install.cjs` when its binary is absent.
  • The hook patches bytes in Claude Code's `bin/claude.exe` or edits its `cli.js`, retaining a `.bak` copy.
  • `cac-dns-guard.js` monkey-patches DNS, sockets, TLS, and `fetch`, including a direct Claude API health-check bypass.
  • `cac.ps1` creates `claude` wrappers that inject hooks through `NODE_OPTIONS` and alter Claude runtime configuration.
Evidence against
  • No credential collection or outbound exfiltration was found in the inspected package files.
  • The only explicit lifecycle network registry is `https://registry.npmjs.org` for the forced Claude Code installation.
  • Some proxy, timezone, and telemetry behavior is exposed as CLI functionality rather than hidden collection.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 25.8 KB of source, external domains: cac.nextmind.space, github.com, registry.npmjs.org

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/postinstall.jsView file
matchType = previous_version_dangerous_delta matchedPackage = cac-windows@1.0.4 matchedIdentity = npm:Y2FjLXdpbmRvd3M:1.0.4 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

scripts/postinstall.jsView on unpkg
25// Fallback: npm prefix L26: var spawnSync = require('child_process').spawnSync; L27: var result = spawnSync('npm', ['prefix', '-g'], { encoding: 'utf8', shell: true });
High
Child Process

Package source references child process execution.

scripts/postinstall.jsView on unpkg · L25
4L5: var pkgDir = path.join(__dirname, '..'); L6: var cacBin = path.join(pkgDir, 'cac'); L7: var home = process.env.HOME || process.env.USERPROFILE || ''; L8: var cacDir = path.join(home, '.cac'); ... L12: L13: // Windows: override npm-generated shims (cac.cmd, cac.ps1) to use PowerShell version. L14: // npm auto-generates shims that call `bash cac`, but on Windows the system `bash` ... L16: // Windows entry point, so we make the shims call it directly. L17: if (process.platform === 'win32') { L18: try { ... L27: var result = spawnSync('npm', ['prefix', '-g'], { encoding: 'utf8', shell: true });
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

scripts/postinstall.jsView on unpkg · L4
4Cross-file remote execution chain: scripts/postinstall.js spawns cac-dns-guard.js; helper contains network access plus dynamic code execution. L4: L5: var pkgDir = path.join(__dirname, '..'); L6: var cacBin = path.join(pkgDir, 'cac'); L7: var home = process.env.HOME || process.env.USERPROFILE || ''; L8: var cacDir = path.join(home, '.cac'); ... L12: L13: // Windows: override npm-generated shims (cac.cmd, cac.ps1) to use PowerShell version. L14: // npm auto-generates shims that call `bash cac`, but on Windows the system `bash` ... L16: // Windows entry point, so we make the shims call it directly. L17: if (process.platform === 'win32') { L18: try { ... L27: var result = spawnSync('npm', ['prefix', '-g'], { encoding: 'utf8', shell: true });
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

scripts/postinstall.jsView on unpkg · L4
187console.log(' TZ patch will be skipped. Other cac features work normally.'); L188: console.log(' To get TZ support: npm i -g ' + CC_PKG + '@' + SUPPORTED_CLAUDE_VERSION); L189: } ... L193: if (needInstall) { L194: var installResult = spawnSync('npm', ['install', '-g', CC_PKG + '@' + SUPPORTED_CLAUDE_VERSION, L195: '--registry', 'https://registry.npmjs.org'], {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/postinstall.jsView on unpkg · L187
cac.ps1View file
path = cac.ps1 kind = build_helper sizeBytes = 36152 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

cac.ps1View on unpkg
cac-dns-guard.jsView file
matchType = normalized_sha256 matchedPackage = cac-windows@1.0.9 matchedPath = cac-dns-guard.js matchedIdentity = npm:Y2FjLXdpbmRvd3M:1.0.9 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

cac-dns-guard.jsView on unpkg

Findings

1 Critical6 High5 Medium4 Low
CriticalPrevious Version Dangerous Deltascripts/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processscripts/postinstall.js
HighSandbox Evasion Gated Capabilityscripts/postinstall.js
HighCross File Remote Execution Contextscripts/postinstall.js
HighRuntime Package Installscripts/postinstall.js
HighKnown Malware Source Similaritycac-dns-guard.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpercac.ps1
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings