registry  /  cac-windows  /  1.0.11

cac-windows@1.0.11

Claude Code Windows environment manager — identity isolation, fingerprint spoofing, timezone alignment.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. npm postinstall performs unconsented installation, execution, and binary/source patching of the separate Claude Code package. It also replaces global command shims and deploys runtime hooks into the user’s Claude Code process.

Static reason
One or more suspicious static signals were detected.; source matched previously finalized malicious package; routed for review; previous stored version diff introduced dangerous source
Trigger
Installing `cac-windows` on Windows runs its npm `postinstall`.
Impact
Changes Claude Code’s executable behavior and launch path without an explicit `cac` command.
Mechanism
Lifecycle-driven foreign AI-agent installation, shim replacement, and binary patching.
Policy narrative
On Windows installation, the postinstall script can install a pinned global Claude Code package, invoke its installer, overwrite global `cac` shims using PowerShell execution-policy bypass, and patch Claude Code binaries or `cli.js`. The package’s runtime design injects a DNS/network interception hook into Claude Code. These are concrete, unconsented lifecycle mutations of a foreign AI-agent control surface, regardless of the stated privacy purpose.
Rationale
Direct source inspection confirms broad Claude Code installation, execution, shim replacement, and binary/source modification during npm postinstall. This meets the block boundary for unconsented install-time mutation of a foreign AI-agent control surface.
Evidence
package.jsonscripts/postinstall.jscac.ps1cac-dns-guard.js%APPDATA%\npm\cac.cmd%APPDATA%\npm\cac.ps1%APPDATA%\npm\node_modules\@anthropic-ai\claude-code\bin\claude.exe%APPDATA%\npm\node_modules\@anthropic-ai\claude-code\cli.js~/.cac
Network endpoints3
registry.npmjs.orgapi.ipify.orgip-api.com/json/

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `node scripts/postinstall.js`.
  • On Windows, `scripts/postinstall.js` installs `@anthropic-ai/claude-code@2.1.202` globally without user action.
  • The lifecycle script executes Claude Code’s `install.cjs`.
  • The lifecycle script modifies Claude Code’s `bin/claude.exe`, `bin/claude`, or `cli.js`, preserving backups.
  • It overwrites global `cac.cmd` and `cac.ps1` shims with PowerShell execution-policy bypass commands.
  • `cac-dns-guard.js` is injected into Claude Code through `NODE_OPTIONS` and intercepts DNS/network APIs.
Evidence against
  • No direct credential-exfiltration endpoint was found in inspected source.
  • Observed network calls are npm registry installation and user-invoked IP/timezone checks.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 26.7 KB of source, external domains: cac.nextmind.space, github.com, registry.npmjs.org

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/postinstall.jsView file
matchType = previous_version_dangerous_delta matchedPackage = cac-windows@1.0.4 matchedIdentity = npm:Y2FjLXdpbmRvd3M:1.0.4 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

scripts/postinstall.jsView on unpkg
25// Fallback: npm prefix L26: var spawnSync = require('child_process').spawnSync; L27: var result = spawnSync('npm', ['prefix', '-g'], { encoding: 'utf8', shell: true });
High
Child Process

Package source references child process execution.

scripts/postinstall.jsView on unpkg · L25
4L5: var pkgDir = path.join(__dirname, '..'); L6: var cacBin = path.join(pkgDir, 'cac'); L7: var home = process.env.HOME || process.env.USERPROFILE || ''; L8: var cacDir = path.join(home, '.cac'); ... L12: L13: // Windows: override npm-generated shims (cac.cmd, cac.ps1) to use PowerShell version. L14: // npm auto-generates shims that call `bash cac`, but on Windows the system `bash` ... L16: // Windows entry point, so we make the shims call it directly. L17: if (process.platform === 'win32') { L18: try { ... L27: var result = spawnSync('npm', ['prefix', '-g'], { encoding: 'utf8', shell: true });
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

scripts/postinstall.jsView on unpkg · L4
4Cross-file remote execution chain: scripts/postinstall.js spawns cac-dns-guard.js; helper contains network access plus dynamic code execution. L4: L5: var pkgDir = path.join(__dirname, '..'); L6: var cacBin = path.join(pkgDir, 'cac'); L7: var home = process.env.HOME || process.env.USERPROFILE || ''; L8: var cacDir = path.join(home, '.cac'); ... L12: L13: // Windows: override npm-generated shims (cac.cmd, cac.ps1) to use PowerShell version. L14: // npm auto-generates shims that call `bash cac`, but on Windows the system `bash` ... L16: // Windows entry point, so we make the shims call it directly. L17: if (process.platform === 'win32') { L18: try { ... L27: var result = spawnSync('npm', ['prefix', '-g'], { encoding: 'utf8', shell: true });
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

scripts/postinstall.jsView on unpkg · L4
187console.log(' TZ patch will be skipped. Other cac features work normally.'); L188: console.log(' To get TZ support: npm i -g ' + CC_PKG + '@' + SUPPORTED_CLAUDE_VERSION); L189: } ... L193: if (needInstall) { L194: var installResult = spawnSync('npm', ['install', '-g', CC_PKG + '@' + SUPPORTED_CLAUDE_VERSION, L195: '--registry', 'https://registry.npmjs.org'], {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/postinstall.jsView on unpkg · L187
cac.ps1View file
path = cac.ps1 kind = build_helper sizeBytes = 36152 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

cac.ps1View on unpkg
cac-dns-guard.jsView file
matchType = normalized_sha256 matchedPackage = cac-windows@1.0.10 matchedPath = cac-dns-guard.js matchedIdentity = npm:Y2FjLXdpbmRvd3M:1.0.10 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

cac-dns-guard.jsView on unpkg

Findings

1 Critical6 High5 Medium4 Low
CriticalPrevious Version Dangerous Deltascripts/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processscripts/postinstall.js
HighSandbox Evasion Gated Capabilityscripts/postinstall.js
HighCross File Remote Execution Contextscripts/postinstall.js
HighRuntime Package Installscripts/postinstall.js
HighKnown Malware Source Similaritycac-dns-guard.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpercac.ps1
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings