registry  /  cac-windows  /  1.0.14

cac-windows@1.0.14

Claude Code Windows environment manager — identity isolation, fingerprint spoofing, timezone alignment.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 97.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; source matched previously finalized malicious package; routed for review

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 28.1 KB of source, external domains: cac.nextmind.space, github.com, registry.npmjs.org

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/postinstall.jsView file
25// Fallback: npm prefix L26: var spawnSync = require('child_process').spawnSync; L27: var result = spawnSync('npm', ['prefix', '-g'], { encoding: 'utf8', shell: true });
High
Child Process

Package source references child process execution.

scripts/postinstall.jsView on unpkg · L25
4L5: var pkgDir = path.join(__dirname, '..'); L6: var cacBin = path.join(pkgDir, 'cac'); L7: var home = process.env.HOME || process.env.USERPROFILE || ''; L8: var cacDir = path.join(home, '.cac'); ... L12: L13: // Windows: override npm-generated shims (cac.cmd, cac.ps1) to use PowerShell version. L14: // npm auto-generates shims that call `bash cac`, but on Windows the system `bash` ... L16: // Windows entry point, so we make the shims call it directly. L17: if (process.platform === 'win32') { L18: try { ... L27: var result = spawnSync('npm', ['prefix', '-g'], { encoding: 'utf8', shell: true });
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

scripts/postinstall.jsView on unpkg · L4
4Cross-file remote execution chain: scripts/postinstall.js spawns cac-dns-guard.js; helper contains network access plus dynamic code execution. L4: L5: var pkgDir = path.join(__dirname, '..'); L6: var cacBin = path.join(pkgDir, 'cac'); L7: var home = process.env.HOME || process.env.USERPROFILE || ''; L8: var cacDir = path.join(home, '.cac'); ... L12: L13: // Windows: override npm-generated shims (cac.cmd, cac.ps1) to use PowerShell version. L14: // npm auto-generates shims that call `bash cac`, but on Windows the system `bash` ... L16: // Windows entry point, so we make the shims call it directly. L17: if (process.platform === 'win32') { L18: try { ... L27: var result = spawnSync('npm', ['prefix', '-g'], { encoding: 'utf8', shell: true });
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

scripts/postinstall.jsView on unpkg · L4
187console.log(' TZ patch will be skipped. Other cac features work normally.'); L188: console.log(' To get TZ support: npm i -g ' + CC_PKG + '@' + SUPPORTED_CLAUDE_VERSION); L189: } ... L193: if (needInstall) { L194: var installResult = spawnSync('npm', ['install', '-g', CC_PKG + '@' + SUPPORTED_CLAUDE_VERSION, L195: '--registry', 'https://registry.npmjs.org'], {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/postinstall.jsView on unpkg · L187
cac.ps1View file
path = cac.ps1 kind = build_helper sizeBytes = 36688 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

cac.ps1View on unpkg
cac-dns-guard.jsView file
matchType = normalized_sha256 matchedPackage = cac-windows@1.0.10 matchedPath = cac-dns-guard.js matchedIdentity = npm:Y2FjLXdpbmRvd3M:1.0.10 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

cac-dns-guard.jsView on unpkg

Findings

6 High5 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processscripts/postinstall.js
HighSandbox Evasion Gated Capabilityscripts/postinstall.js
HighCross File Remote Execution Contextscripts/postinstall.js
HighRuntime Package Installscripts/postinstall.js
HighKnown Malware Source Similaritycac-dns-guard.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpercac.ps1
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings