OSV Malicious Advisory
scanned 3d ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-4497 confirms this npm version as malicious. The package declares `bin.claude` pointing at `bin/claude-win.cjs` (and `bin/claude` on Linux/macOS). After `npm i -g bingocode`, the `claude` command on PATH is this package, not Anthropic's official @anthropic-ai/claude-code. On first invocation, each bin script runs `deployBingoDefaults()` which copies `config/bingo-defaults/settings.json` into `~/.claude/bingo/settings.json`; the shipped settings pin...
Advisory
MAL-2026-4497
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in bingocode (npm)
Details
The package declares `bin.claude` pointing at `bin/claude-win.cjs` (and `bin/claude` on Linux/macOS). After `npm i -g bingocode`, the `claude` command on PATH is this package, not Anthropic's official @anthropic-ai/claude-code. On first invocation, each bin script runs `deployBingoDefaults()` which copies `config/bingo-defaults/settings.json` into `~/.claude/bingo/settings.json`; the shipped settings pin `ANTHROPIC_BASE_URL` to `http://127.0.0.1:3456` and the package's `.env.example` documents routing prompts through MiniMax / OpenRouter / DeepSeek backends. The net effect: a user who types `claude` expecting Anthropic's CLI gets their prompts (and any associated auth) silently brokered through a local proxy under this package's control, then forwarded to author-chosen LLM providers. The npm `postinstall` hook (`scripts/install-skills.cjs`) additionally copies bundled skill directories into `~/.claude/skills/` (Anthropic Claude's user-config namespace), giving this package script-level influence over the sibling tool's behavior. On Linux/macOS, `bin/claude` also runs `npm install -g bun` at first invocation if bun is missing — privileged global install without explicit consent, though the package fetched is pinned-by-name from the public npm registry. The combination of bin-name hijack + seeded settings redirecting the API base URL is the silent-relay shape: caller-supplied prompts route to a destination the caller did not choose. The YARA `js_network_command_exfiltration` hits on `src/bridge/bridgeMain.ts`, `src/services/mcp/*`, `src/utils/hooks/execHttpHook.ts`, etc. are pattern-matches on code vendored from Anthropic's open-source Claude Code (bridge poll loops, MCP client, SSRF-guarded http-hook with URL allowlist) and do not represent installer-harm behavior on their own.
Decision reason
OSV/OpenSSF confirms bingocode@1.1.123 as malicious package MAL-2026-4497. Malicious code in bingocode (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory