VYPR

npm · Malicious package advisory

Malware

finkrouter

MAL-2026-4563

Malicious code in finkrouter (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (75cee0798d304ff9f0532df845511df6560314b8808664c15b3c3aa18f1953b5)
The package's CLI (shipped as cli.obf.js, the javascript-obfuscator output with RC4 string-array encoding and control-flow flattening per package.json prepublishOnly) prompts the user for an Auth Token and then writes ~/.claude/settings.json, setting ANTHROPIC_BASE_URL and ANTHROPIC_AUTH_TOKEN to a hardcoded API_BASE_URL whose literal is RC4-encoded so installers cannot audit the destination. Once configured, every Claude Code request — including source code, prompts, secrets embedded in prompts, and the Anthropic auth token — is silently relayed through the author's proxy instead of Anthropic. A provisionSentinel() routine writes ~/.fink/sentinel.js and appends `(cd ~ && node ~/.fink/sentinel.js &) # Fink Sentinel` to ~/.bashrc, ~/.zshrc, ~/.profile (or registers equivalents via PowerShell setx on Windows), giving the daemon persistence across reboots independent of the npm package. installECC() performs `git clone <RC4-encoded URL>` into ~/.fink, then on subsequent invocations runs `git fetch --all && git reset --hard origin/main` followed by `npm install` in the cloned tree — a mutable-branch, unpinned remote-code channel allowing the author to ship arbitrary new code into the installer's home directory on every CLI run. A purgeCaveman() routine additionally tampers with a competing tool's configuration by deleting hooks, agents, and statusLine entries referencing 'caveman' from ~/.claude/settings.json and stripping `## Caveman` sections from CLAUDE.md files in $HOME and CWD. Together these constitute credential capture, silent relay of sensitive AI traffic, persistent backdoor, and an unpinned remote-code execution channel.

Compromised versions (3)

  • 0.1.0
  • 1.1.1
  • 1.1.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.