registry  /  nathangong  /  0.1.0

nathangong@0.1.0

Pops a macOS notification with a photo of Nathan Gong after every Claude Code turn.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package automatically mutates a foreign Claude Code control surface at install time. It registers a persistent Stop hook that executes package code after every Claude Code turn.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs package.json postinstall; later Claude Code Stop events run the hook
Impact
Persistent AI-agent control-surface mutation; installed hook executes notification code after every Claude turn
Mechanism
unconsented lifecycle write to ~/.claude/settings.json Stop hook
Policy narrative
On npm install, package.json runs scripts/postinstall.js, which imports settings.addHook(). That helper reads or creates ~/.claude/settings.json, backs it up, and appends a Claude Code Stop hook whose command is node "<package>/scripts/notify.js". The hook persists beyond installation and runs after Claude Code turns, where notify.js spawns macOS notification tooling. No data theft or network activity was found, but the lifecycle-triggered write to Claude Code settings is an unconsented foreign AI-agent control-surface mutation.
Rationale
Although the payload is a notification feature and no exfiltration is present, the package uses an npm postinstall hook to modify ~/.claude/settings.json and register Claude Code execution without explicit user invocation. Under the install control surface policy, this is blockable AI-agent control hijack.
Evidence
package.jsonscripts/postinstall.jsscripts/settings.jsscripts/notify.jsbin/cli.jsindex.js~/.claude/settings.json~/.claude/settings.json.nathangong.bak~/.claude/settings.json.nathangong.corrupt.bak

Decision evidence

public snapshot
AI called this Malicious at 96.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json runs postinstall and preuninstall lifecycle scripts.
  • scripts/postinstall.js calls addHook() automatically during npm install.
  • scripts/settings.js writes ~/.claude/settings.json and appends a Claude Code Stop hook command to run package notify.js after every turn.
  • scripts/notify.js invokes macOS notifications via node-notifier or detached osascript on each Claude Stop event.
Evidence against
  • No network endpoints or exfiltration code found in inspected source.
  • index.js only enumerates bundled image assets.
  • bin/cli.js install/uninstall/test paths are user-invoked and package-aligned.
  • settings.js backs up existing Claude settings and only removes hooks matching nathangong notify.js.
Behavioral surface
Source
ChildProcessFilesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 9.84 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem