registry  /  cac-windows  /  1.0.9

cac-windows@1.0.9

Claude Code Windows environment manager — identity isolation, fingerprint spoofing, timezone alignment.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. On Windows, installation silently installs a pinned Claude Code package, can execute its installer, and byte-patches its Claude executable. It also rewrites npm command shims and updates existing `~/.cac` runtime wrappers.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm installation on Windows
Impact
Compromises the integrity and runtime behavior of Claude Code without an explicit user command.
Mechanism
postinstall mutation of a foreign AI-agent installation and executable
Policy narrative
Installing this package on Windows triggers code that checks for `@anthropic-ai/claude-code`, installs it globally if missing, executes its installer if necessary, and modifies the Claude executable in place. The change is intended to alter Claude Code's date behavior and is paired with wrapper-based proxy, telemetry, and fingerprint manipulation. These actions target a separate AI-agent installation without a user-invoked setup command.
Rationale
This is a concrete unconsented `postinstall` mutation of a foreign AI-agent control surface, meeting the block boundary. The lack of credential exfiltration does not mitigate the lifecycle hijack.
Evidence
package.jsonscripts/postinstall.jscac.ps1cac-dns-guard.jsREADME.md%APPDATA%\npm\node_modules\@anthropic-ai\claude-code\install.cjs%APPDATA%\npm\node_modules\@anthropic-ai\claude-code\bin\claude.exe%USERPROFILE%\.cac\bin\claude
Network endpoints1
registry.npmjs.org

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `node scripts/postinstall.js` at install time.
  • On Windows, `scripts/postinstall.js` silently runs `npm install -g @anthropic-ai/claude-code@2.1.202`.
  • The same hook executes the foreign package's `install.cjs` when its binary is absent.
  • The hook overwrites matching Claude executable bytes after saving a `.bak`, changing date behavior via `process.env.TZ`.
  • `cac.ps1` writes wrappers that inject proxy, telemetry-disable, and fingerprint-altering environment into `claude`.
  • `cac.ps1` also rewrites `~/.claude.json` userID and Statsig stable-ID files when invoked.
Evidence against
  • No package source sends harvested credentials or local data to a package-controlled endpoint.
  • No `eval`, VM, dynamic remote loader, or embedded payload was found in inspected files.
  • The only lifecycle network endpoint is the public npm registry used to install the pinned foreign package.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 24.4 KB of source, external domains: cac.nextmind.space, github.com, registry.npmjs.org

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/postinstall.jsView file
matchType = previous_version_dangerous_delta matchedPackage = cac-windows@1.0.4 matchedIdentity = npm:Y2FjLXdpbmRvd3M:1.0.4 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

scripts/postinstall.jsView on unpkg
25// Fallback: npm prefix L26: var spawnSync = require('child_process').spawnSync; L27: var result = spawnSync('npm', ['prefix', '-g'], { encoding: 'utf8', shell: true });
High
Child Process

Package source references child process execution.

scripts/postinstall.jsView on unpkg · L25
4L5: var pkgDir = path.join(__dirname, '..'); L6: var cacBin = path.join(pkgDir, 'cac'); L7: var home = process.env.HOME || process.env.USERPROFILE || ''; L8: var cacDir = path.join(home, '.cac'); ... L12: L13: // Windows: override npm-generated shims (cac.cmd, cac.ps1) to use PowerShell version. L14: // npm auto-generates shims that call `bash cac`, but on Windows the system `bash` ... L16: // Windows entry point, so we make the shims call it directly. L17: if (process.platform === 'win32') { L18: try { ... L27: var result = spawnSync('npm', ['prefix', '-g'], { encoding: 'utf8', shell: true });
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

scripts/postinstall.jsView on unpkg · L4
4Cross-file remote execution chain: scripts/postinstall.js spawns cac-dns-guard.js; helper contains network access plus dynamic code execution. L4: L5: var pkgDir = path.join(__dirname, '..'); L6: var cacBin = path.join(pkgDir, 'cac'); L7: var home = process.env.HOME || process.env.USERPROFILE || ''; L8: var cacDir = path.join(home, '.cac'); ... L12: L13: // Windows: override npm-generated shims (cac.cmd, cac.ps1) to use PowerShell version. L14: // npm auto-generates shims that call `bash cac`, but on Windows the system `bash` ... L16: // Windows entry point, so we make the shims call it directly. L17: if (process.platform === 'win32') { L18: try { ... L27: var result = spawnSync('npm', ['prefix', '-g'], { encoding: 'utf8', shell: true });
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

scripts/postinstall.jsView on unpkg · L4
187console.log(' TZ patch will be skipped. Other cac features work normally.'); L188: console.log(' To get TZ support: npm i -g ' + CC_PKG + '@' + SUPPORTED_CLAUDE_VERSION); L189: } ... L193: if (needInstall) { L194: var installResult = spawnSync('npm', ['install', '-g', CC_PKG + '@' + SUPPORTED_CLAUDE_VERSION, L195: '--registry', 'https://registry.npmjs.org'], {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/postinstall.jsView on unpkg · L187
cac.ps1View file
path = cac.ps1 kind = build_helper sizeBytes = 36152 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

cac.ps1View on unpkg

Findings

1 Critical5 High5 Medium4 Low
CriticalPrevious Version Dangerous Deltascripts/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processscripts/postinstall.js
HighSandbox Evasion Gated Capabilityscripts/postinstall.js
HighCross File Remote Execution Contextscripts/postinstall.js
HighRuntime Package Installscripts/postinstall.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpercac.ps1
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings