registry  /  makecoder  /  4.1.35

makecoder@4.1.35

MakeCoder Coder: AI Agent Runtime OS that runs and orchestrates Claude Code, Codex, Gemini and more across CLI, API, Web and chat

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package has a real install/runtime lifecycle surface, but source inspection shows package-aligned setup rather than confirmed malware. Risk centers on postinstall dependency/tool placement and explicit agent/desktop integration commands.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install; global npm install; user runs coder or coder claude app/setup flows
Impact
May install Bun dependencies, place search-tool binaries on global PATH for global installs, and on explicit command configure MakeCoder-mediated Claude/Codex/Gemini integrations.
Mechanism
postinstall tool bootstrap and first-party agent runtime integration
Rationale
The package is not clean because it has install-time execution, bundled binaries, and agent integration/configuration capabilities, but the inspected behavior is package-aligned and explicit-user-command for AI-agent control surfaces. This supports a warning rather than a publish block.
Evidence
package.jsonscripts/postinstall.jsdist/coder.jsdist/<platform>/rgdist/<platform>/ugrepdist/<platform>/bfs~/Library/Application Support/Claude-3p/claude_desktop_config.json~/Library/Application Support/Claude-3p/configLibrary/*.json~/Library/Application Support/Claude-3p/claude-code/<version>/claude.app/Contents/MacOS/claude
Network endpoints6
api.makecoder.com/v1cdn.makecoder.com/cdnuploads/claude-app/Claude-darwin-universal-1.12603.1.dmgregistry.npmmirror.com/makecoder/latestskills.sh/api/searchapi.github.com/repos/raw.githubusercontent.com/

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: node scripts/postinstall.js
  • scripts/postinstall.js auto-runs npm install bun@latest plus @oven-sh platform package if bun is absent
  • scripts/postinstall.js global installs remove/copy/symlink bundled rg/ugrep/bfs into npm global bin
  • dist/coder.js explicit coder claude app setup writes Claude-3p config, gateway API key config, and shim files
  • dist/coder.js can install/update Claude/Codex desktop apps from cdn.makecoder.com when user invokes app flows
Evidence against
  • Postinstall is limited to Bun/tool setup; no credential harvesting or exfiltration found there
  • AI-agent config mutation is under explicit coder claude app/setup and related runtime commands, not npm postinstall
  • Network endpoints are package-aligned: api.makecoder.com, cdn.makecoder.com, registry.npmmirror.com, skills.sh, GitHub
  • Bundled native binaries appear to be search/shim tools used by the CLI runtime
  • Clipboard crypto-hijack hint was not confirmed as package attack behavior in inspected source
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 476 file(s), 13.3 MB of source, external domains: 127.0.0.1, ai.google.dev, aiplatform.googleapis.com, api.github.com, api.makecoder.com, asdf.c, asdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdf.com, base64.guru, bugs.chromium.org, bun.sh, cdn.makecoder.com, chromestatus.com, chromewebstore.google.com, chromium.googlesource.com, chromiumdash.appspot.com, code.claude.com, datatracker.ietf.org, developer.chrome.com, developer.mozilla.org, developers.google.com, docs.expo.dev, docs.stripe.com, dotenvx.com, elevenlabs.io, empty.invalid, example.com, example.net.il, example.org, examples.com, fb.me, fburl.com, fedidcg.github.io, feross.org, ffmpeg.org, geminicli.com, github.com, goo.gle, google.com, html.spec.whatwg.org, huggingface.co, imagemagick.org, jimeng.jianying.com, jimmy.warting.se, jqlang.github.io, json-schema.org, jsonplaceholder.typicode.com, makecoder.com, my.local, nodejs.org, pandoc.org
Oversized source lightweight scan
dist/coder.js2.51 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoHighEntropyStringsMinifiedUrlStringsapi.github.comapi.makecoder.combun.shcdn.makecoder.comdocs.stripe.comelevenlabs.ioffmpeg.orggithub.comimagemagick.orgjimeng.jianying.comjqlang.github.iomakecoder.compandoc.orgraw.githubusercontent.comregistry.npmmirror.comskills.shstripe.comwww.npmjs.com
dist/darwin-arm64/cc.js15.8 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsNativeBindingsCryptoHighEntropyStringsMinifiedUrlStringsaiplatform.googleapis.comcode.claude.comdocs.expo.devgithub.com
dist/darwin-x64/cc.js15.8 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsNativeBindingsCryptoHighEntropyStringsMinifiedUrlStringsaiplatform.googleapis.comcode.claude.comdocs.expo.devgithub.com
dist/gemini/bundled/chrome-devtools-mcp.mjs11.1 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsShellHighEntropyStringsUrlStringschromewebstore.google.comgithub.comnodejs.org
dist/gemini/bundled/third_party/index.js7.62 MB file, sampled 256 KB
FilesystemNetworkChildProcessCryptoShellHighEntropyStringsUrlStringsbugs.chromium.orgchromestatus.comchromium.googlesource.comchromiumdash.appspot.comdatatracker.ietf.orgdeveloper.chrome.comdeveloper.mozilla.orgdevelopers.google.comfedidcg.github.iogithub.comgoo.glehtml.spec.whatwg.orgprivacycg.github.ioprivacysandbox.comweb.devwicg.github.iowww.chromium.orgwww.ietf.orgwww.rfc-editor.orgxhr.spec.whatwg.org
dist/gemini/chunk-GYTCBA2A.js7.61 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsEvalCryptoHighEntropyStringsMinifiedUrlStringsfeross.orggithub.comhuggingface.cojimmy.warting.sewww.apache.org
dist/gemini/chunk-PE6GLDYB.js7.58 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsEvalCryptoHighEntropyStringsMinifiedUrlStringsfeross.orggithub.comhuggingface.cojimmy.warting.sewww.apache.org
dist/linux-arm64/cc.js15.8 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsNativeBindingsCryptoHighEntropyStringsMinifiedUrlStringsaiplatform.googleapis.comcode.claude.comdocs.expo.devgithub.com
dist/linux-x64/cc.js15.8 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsNativeBindingsCryptoHighEntropyStringsMinifiedUrlStringsaiplatform.googleapis.comcode.claude.comdocs.expo.devgithub.com
dist/win32-x64/cc.js15.8 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsNativeBindingsCryptoHighEntropyStringsMinifiedUrlStringsaiplatform.googleapis.comcode.claude.comdocs.expo.devgithub.com

Source & flagged code

23 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/gemini/tree-sitter-bash-GW2AIDO2.jsView file
2patternName = aws_access_key severity = critical line = 2 matchedText = import{g...lt};
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/gemini/tree-sitter-bash-GW2AIDO2.jsView on unpkg · L2
2patternName = aws_access_key severity = critical line = 2 matchedText = import{g...lt};
Critical
Secret Pattern

AWS access key ID in dist/gemini/tree-sitter-bash-GW2AIDO2.js

dist/gemini/tree-sitter-bash-GW2AIDO2.jsView on unpkg · L2
dist/gemini/gemini-QA25TZIT.jsView file
91L92: Migrate hooks from Claude Code to Gemini CLI format.`),await X()}};var Ai={command:"hooks <command>",aliases:["hook"],describe:"Manage Gemini CLI hooks.",builder:n=>n.middleware(e=... L93: `);if(c>0&&d.length>0){let u=Buffer.allocUnsafe(1),{bytesRead:h}=await s.read(u,0,1,c-1);h===1&&u[0]!==10&&d.shift()}return d.length>0&&d[d.length-1]===""&&d.pop(),d.length===0?"":...
High
Child Process

Package source references child process execution.

dist/gemini/gemini-QA25TZIT.jsView on unpkg · L91
91L92: Migrate hooks from Claude Code to Gemini CLI format.`),await X()}};var Ai={command:"hooks <command>",aliases:["hook"],describe:"Manage Gemini CLI hooks.",builder:n=>n.middleware(e=... L93: `);if(c>0&&d.length>0){let u=Buffer.allocUnsafe(1),{bytesRead:h}=await s.read(u,0,1,c-1);h===1&&u[0]!==10&&d.shift()}return d.length>0&&d[d.length-1]===""&&d.pop(),d.length===0?"":... ... L95: `}finally{await s.close()}}function yd(n){return new Promise((e,t)=>{n.once("error",t),n.once("close",s=>e(s??1))})}async function $p(n,e,t){let s=t?["-f","-n",String(e),n]:["-n",S... L96: `);let r=await $p(e,o,s);await X(r)}catch(r){r instanceof Error&&"code"in r&&r.code==="ENOENT"?s?(g.error('"tail" command not found. Use --lines N to view recent logs without tail.... L97: `))}return{workspacePoliciesDir:o,policyUpdateConfirmationRequest:r}}var En=n=>n.length===1&&n[0]===""?[""]:n.flatMap(e=>e.split(",").map(t=>t.trim()).filter(Boolean));function Hp(...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/gemini/gemini-QA25TZIT.jsView on unpkg · L91
80Run "gemini extensions list" for details.`);return}if(!r.installMetadata){g.log(`Unable to install extension "${n.name}" due to missing install metadata`);return}let a=await Qa(r,s... L81: `))}catch(r){g.error(Q(r))}}var Bc={command:"update [<name>] [--all]",describe:"Updates all extensions or a named extension to the latest version.",builder:n=>n.positional("name",{... L82: `);return}process.stdout.write(bn.default.bold("Discovered Agent Skills:")+` ... L91: L92: Migrate hooks from Claude Code to Gemini CLI format.`),await X()}};var Ai={command:"hooks <command>",aliases:["hook"],describe:"Manage Gemini CLI hooks.",builder:n=>n.middleware(e=... L93: `);if(c>0&&d.length>0){let u=Buffer.allocUnsafe(1),{bytesRead:h}=await s.read(u,0,1,c-1);h===1&&u[0]!==10&&d.shift()}return d.length>0&&d[d.length-1]===""&&d.pop(),d.length===0?"":...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/gemini/gemini-QA25TZIT.jsView on unpkg · L80
6`),r.border&&(o.unshift("."+"-".repeat(this.negatePadding(r)+2)+"."),o.push("'"+"-".repeat(this.negatePadding(r)+2)+"'")),r.padding&&(o.unshift(...new Array(r.padding[Du]||0).fill(... L7: `),o+=n.charAt(r);return t&&s&&(o=`${t}${o}${s}`),o}function qo(n){return Dl(n,{stringWidth:e=>[...e].length,stripAnsi:Wo,wrap:Fl})}import{dirname as Ul,resolve as Gl}from"path";im... L8: `:j=`${T} [${t("command")}] ... L91: L92: Migrate hooks from Claude Code to Gemini CLI format.`),await X()}};var Ai={command:"hooks <command>",aliases:["hook"],describe:"Manage Gemini CLI hooks.",builder:n=>n.middleware(e=... L93: `);if(c>0&&d.length>0){let u=Buffer.allocUnsafe(1),{bytesRead:h}=await s.read(u,0,1,c-1);h===1&&u[0]!==10&&d.shift()}return d.length>0&&d[d.length-1]===""&&d.pop(),d.length===0?"":... ... L159: Content from @${v.uri}: L160: `}),"text"in v?P.push({text:v.text}):P.push({inlineData:{mimeType:v.mimeType??"application/octet-stream",data:v.blob}})}return P}debug(e){this.context.config.getDebugMode()&&g.warn... L161: ${t}
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/gemini/gemini-QA25TZIT.jsView on unpkg · L6
5`):o=r.text.split(` L6: `),r.border&&(o.unshift("."+"-".repeat(this.negatePadding(r)+2)+"."),o.push("'"+"-".repeat(this.negatePadding(r)+2)+"'")),r.padding&&(o.unshift(...new Array(r.padding[Du]||0).fill(... L7: `),o+=n.charAt(r);return t&&s&&(o=`${t}${o}${s}`),o}function qo(n){return Dl(n,{stringWidth:e=>[...e].length,stripAnsi:Wo,wrap:Fl})}import{dirname as Ul,resolve as Gl}from"path";im... L8: `:j=`${T} [${t("command")}] ... L14: # L15: # Installation: {{app_path}} {{completion_command}} >> ~/.bashrc L16: # or {{app_path}} {{completion_command}} >> ~/.bash_profile on OSX. ... L61: ${s("Argument: %s, Given: %s, Choices: %s",w,e.stringifiedValues(f[w]),e.stringifiedValues(h.choices[w]))}`}),e.fail(_)};let a={};r.implies=function(u,h){H("<string|object> [array|... L62: `;h.forEach(x=>{f+=x}),e.fail(f)}};let c={};r.conflicts=function(u,h){H("<string|object> [array|string]",[u,h],arguments.length),typeof u=="object"?Object.keys(u).forEach(f=>{r.con... L63: `),void 0,"versionWarning"),m(this,J,"f").key[e]=!0,t.alias&&this.alias(e,t.alias);let s=t.deprecate||t.deprecated;s&&this.deprecateOption(e,s);let o=t.demand||t.required||t.requir... ... L80: Run "gemini extensions list" fo
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/gemini/gemini-QA25TZIT.jsView on unpkg · L5
dist/gemini/chunk-ZKZMOUOK.jsView file
1const require = (await import('node:module')).createRequire(import.meta.url); const __chunk_filename = (await import('node:url')).fileURLToPath(import.meta.url); const __chunk_dirn... L2: import{b as YA,c as hs}from"./chunk-TU3BMADG.js";import{a as eQ,b as mh}from"./chunk-Y2ZPDBAZ.js";import{$ as qR,D as ib,E as yt,Ea as nQ,F as ch,Fa as rQ,G as In,Ga as iQ,H as Yn,... L3: at`)?" (<anonymous>)":-1<A.stack.indexOf("@")?"@unknown:0:0":""}return` ... L8: Error generating stack: `+A.message+` L9: `+A.stack}}function te(a,c){if(typeof a=="object"&&a!==null){var A=MT.get(a);return A!==void 0?A:(c={value:a,source:c,stack:z(c)},MT.set(a,c),c)}return{value:a,source:c,stack:z(c)}... L10: `+(h.join(" > ")+` ... L12: No matching component was found for: L13: `)+a.join(" > ")}return null},Tt.getPublicRootInstance=function(a){if(a=a.current,!a.child)return null;switch(a.child.tag){case 27:case 5:return TA(a.child.stateNode);default:retur... L14: `)),!/^\s*at /.test(t[0])&&/^\s*at /.test(t[1])&&(t=t.slice(1));let r=!1,i=null,o=[];return t.forEach(s=>{if(s=s.replace(/\\/g,"/"),this._internals.some(u=>u.test(s)))return;let l=... L15: `).join("")}captureString(t,n=this.captureString){typeof t=="
Critical
Clipboard Crypto Hijack

Source reads and rewrites clipboard contents matching cryptocurrency wallet addresses.

dist/gemini/chunk-ZKZMOUOK.jsView on unpkg · L1
113${r.message}`:E,S=[B,t,e].filter(Boolean).join(` L114: `);return I?(r.originalMessage=r.message,r.message=S):r=new Error(S),r.shortMessage=B,r.command=s,r.escapedCommand=l,r.exitCode=o,r.signal=i,r.signalDescription=g,r.stdout=e,r.stde... L115: https://github.com/highlightjs/highlight.js/issues/2277`),X=z,be=te),Z===void 0&&(Z=!0);let V={code:be,language:X};Y("before:highlight",V);let ce=V.result?V.result:m(V.language,V.c...
High
Shell

Package source references shell execution.

dist/gemini/chunk-ZKZMOUOK.jsView on unpkg · L113
dist/zod/v4-mini/index.cjsView file
16Object.defineProperty(exports, "__esModule", { value: true }); L17: __exportStar(require("../v4/mini/index.cjs"), exports);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/zod/v4-mini/index.cjsView on unpkg · L16
scripts/postinstall.jsView file
4const path = require('path'); L5: const { execFileSync } = require('child_process'); L6: ... L15: function isBunAvailable() { L16: const isWindows = process.platform === 'win32'; L17: const binName = isWindows ? 'bun.exe' : 'bun'; ... L29: isWindows ? 'bun/bin/bun.exe' : 'bun/bin/bun', L30: { paths: [path.join(__dirname, '..')] }, L31: ); ... L35: // 3. ~/.bun/bin/bun (curl bun.sh/install fallback location) L36: const home = process.env.HOME || process.env.USERPROFILE || ''; L37: if (home && fs.existsSync(path.join(home, '.bun', 'bin', binName))) {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

scripts/postinstall.jsView on unpkg · L4
dist/linux-arm64/rgView file
path = dist/linux-arm64/rg kind = native_binary sizeBytes = 4543848 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

dist/linux-arm64/rgView on unpkg
dist/coder.jsView file
path = dist/coder.js kind = oversized_source_file sizeBytes = 2630711 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/coder.jsView on unpkg
path = dist/coder.js kind = oversized_cli_entrypoint sizeBytes = 2630711 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/coder.jsView on unpkg
dist/zod/src/v4/mini/tests/string.test.tsView file
289patternName = supabase_service_key severity = critical line = 289 matchedText = "eyJhbGc...w5c"
Critical
Secret Pattern

Supabase service role key (JWT) in dist/zod/src/v4/mini/tests/string.test.ts

dist/zod/src/v4/mini/tests/string.test.tsView on unpkg · L289
292patternName = supabase_service_key severity = critical line = 292 matchedText = "eyJhbGc...w5c"
Critical
Secret Pattern

Supabase service role key (JWT) in dist/zod/src/v4/mini/tests/string.test.ts

dist/zod/src/v4/mini/tests/string.test.tsView on unpkg · L292
dist/zod/src/v4/classic/tests/refine.test.tsView file
66patternName = generic_password severity = medium line = 66 matchedText = password...aa",
Medium
Secret Pattern

Hardcoded password in dist/zod/src/v4/classic/tests/refine.test.ts

dist/zod/src/v4/classic/tests/refine.test.tsView on unpkg · L66
93patternName = generic_password severity = medium line = 93 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in dist/zod/src/v4/classic/tests/refine.test.ts

dist/zod/src/v4/classic/tests/refine.test.tsView on unpkg · L93
103patternName = generic_password severity = medium line = 103 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in dist/zod/src/v4/classic/tests/refine.test.ts

dist/zod/src/v4/classic/tests/refine.test.tsView on unpkg · L103
dist/zod/src/v3/tests/refine.test.tsView file
40patternName = generic_password severity = medium line = 40 matchedText = password...aa",
Medium
Secret Pattern

Hardcoded password in dist/zod/src/v3/tests/refine.test.ts

dist/zod/src/v3/tests/refine.test.tsView on unpkg · L40
74patternName = generic_password severity = medium line = 74 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in dist/zod/src/v3/tests/refine.test.ts

dist/zod/src/v3/tests/refine.test.tsView on unpkg · L74

Findings

5 Critical9 High13 Medium5 Low
CriticalCritical Secretdist/gemini/tree-sitter-bash-GW2AIDO2.js
CriticalClipboard Crypto Hijackdist/gemini/chunk-ZKZMOUOK.js
CriticalSecret Patterndist/zod/src/v4/mini/tests/string.test.ts
CriticalSecret Patterndist/zod/src/v4/mini/tests/string.test.ts
CriticalSecret Patterndist/gemini/tree-sitter-bash-GW2AIDO2.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/gemini/gemini-QA25TZIT.js
HighShelldist/gemini/chunk-ZKZMOUOK.js
HighSame File Env Network Executiondist/gemini/gemini-QA25TZIT.js
HighCommand Output Exfiltrationdist/gemini/gemini-QA25TZIT.js
HighSandbox Evasion Gated Capabilityscripts/postinstall.js
HighRemote Agent Bridgedist/gemini/gemini-QA25TZIT.js
HighObfuscated
HighOversized Source Filedist/coder.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/zod/v4-mini/index.cjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/gemini/gemini-QA25TZIT.js
MediumShips Native Binarydist/linux-arm64/rg
MediumOversized Cli Entrypointdist/coder.js
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/zod/src/v4/classic/tests/refine.test.ts
MediumSecret Patterndist/zod/src/v4/classic/tests/refine.test.ts
MediumSecret Patterndist/zod/src/v4/classic/tests/refine.test.ts
MediumSecret Patterndist/zod/src/v3/tests/refine.test.ts
MediumSecret Patterndist/zod/src/v3/tests/refine.test.ts
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings