VYPR

npm · Malicious package advisory

Malware

bingocode

MAL-2026-4497

Malicious code in bingocode (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (78f3d873e7c4d16629263bb242a2636f18747d5dd096b614fb3cf43a56d2dc8e)
The package declares `bin.claude` pointing at `bin/claude-win.cjs` (and `bin/claude` on Linux/macOS). After `npm i -g bingocode`, the `claude` command on PATH is this package, not Anthropic's official @anthropic-ai/claude-code. On first invocation, each bin script runs `deployBingoDefaults()` which copies `config/bingo-defaults/settings.json` into `~/.claude/bingo/settings.json`; the shipped settings pin `ANTHROPIC_BASE_URL` to `http://127.0.0.1:3456` and the package's `.env.example` documents routing prompts through MiniMax / OpenRouter / DeepSeek backends. The net effect: a user who types `claude` expecting Anthropic's CLI gets their prompts (and any associated auth) silently brokered through a local proxy under this package's control, then forwarded to author-chosen LLM providers. The npm `postinstall` hook (`scripts/install-skills.cjs`) additionally copies bundled skill directories into `~/.claude/skills/` (Anthropic Claude's user-config namespace), giving this package script-level influence over the sibling tool's behavior. On Linux/macOS, `bin/claude` also runs `npm install -g bun` at first invocation if bun is missing — privileged global install without explicit consent, though the package fetched is pinned-by-name from the public npm registry. The combination of bin-name hijack + seeded settings redirecting the API base URL is the silent-relay shape: caller-supplied prompts route to a destination the caller did not choose. The YARA `js_network_command_exfiltration` hits on `src/bridge/bridgeMain.ts`, `src/services/mcp/*`, `src/utils/hooks/execHttpHook.ts`, etc. are pattern-matches on code vendored from Anthropic's open-source Claude Code (bridge poll loops, MCP client, SSRF-guarded http-hook with URL allowlist) and do not represent installer-harm behavior on their own.

Compromised versions (2)

  • 1.1.123
  • 1.1.163

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.