registry  /  bingocode  /  1.1.180

bingocode@1.1.180

BingoCode - AI-powered coding assistant CLI built on Claude

AI Security Review

scanned 3d ago · by lpm-firewall-ai

The package mutates a global AI-agent control surface at npm install time. It installs a package-supplied Claude skill into the user's ~/.claude/skills without a separate user command.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install runs package.json postinstall
Impact
Future Claude/Codex sessions may load package-supplied behavioral instructions from the user's global skill directory.
Mechanism
unconsented install-time AI-agent skill injection
Attack narrative
On installation, npm runs scripts/install-skills.cjs. That script locates the package's .claude/skills directory and copies each bundled skill into CLAUDE_CONFIG_DIR or ~/.claude/skills, creating the destination as needed. The bundled leanchy skill contains agent behavior instructions, so installing the package silently changes the user's global AI-agent instruction surface before any explicit CLI invocation.
Rationale
Static source inspection confirms an install-time lifecycle script writes package-supplied Claude skill instructions into the user's global AI-agent configuration. Under the firewall boundary, unconsented lifecycle mutation of an AI-agent control surface is concrete attack behavior even without separate credential exfiltration.
Evidence
package.jsonscripts/install-skills.cjs.claude/skills/leanchy/SKILL.md.claude/settings.local.jsonbin/bingobin/bingo-win.cjsbin/claudebin/claude-win.cjsbin/bingocode-win.cjsconfig/bingo-defaults/settings.json~/.claude/skills/leanchy/SKILL.md

Decision evidence

public snapshot
AI called this Malicious at 93.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node scripts/install-skills.cjs
  • scripts/install-skills.cjs copies bundled .claude/skills/* into CLAUDE_CONFIG_DIR or ~/.claude/skills during install
  • Bundled .claude/skills/leanchy/SKILL.md installs AI-agent behavior instructions into the user's global Claude skill surface
  • Install script creates destination directories and does not require an explicit CLI action beyond npm install
Evidence against
  • scripts/install-skills.cjs only copies skill files and skips absent source dir; no network or credential exfiltration seen there
  • bin launchers spawn Bun and copy bingo defaults on user-invoked runtime, aligned with an AI coding CLI
  • Network references inspected are mainly Anthropic/Claude API, local 127.0.0.1:3456 daemon, feedback, IDE/MCP features
  • Bundled .claude/settings.local.json contains permissions but install-skills.cjs does not copy it
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2,163 file(s), 30.5 MB of source, external domains: 1.1.1.1, 127.0.0.1, anthropic.com, api-staging.anthropic.com, api.anthropic.com, api.example.com, api.telegram.org, app.corridor.dev, apps.apple.com, artifactory.infra.ant.dev, beacon.claude-ai.staging.ant.dev, clau.de, claude-ai.staging.ant.dev, claude-staging.fedstart.com, claude.ai, claude.com, claude.fedstart.com, cli.github.com, code.claude.com, cognitiveservices.azure.com, docs.anthropic.com, docs.claude.com, downloads.claude.ai, evil.com, example.com, fonts.googleapis.com, git-scm.com, github.com, hooks.example.com, http-intake.logs.us5.datadoghq.com, json.schemastore.org, mcp-proxy-staging.anthropic.com, mcp-proxy.anthropic.com, mcp.example.com, mcp.sentry.dev, mlaas.games.com, open.feishu.cn, platform.claude.com, platform.staging.ant.dev, play.google.com, pypi.tuna.tsinghua.edu.cn, raw.githubusercontent.com, s3-frontend.infra.ant.dev, slack.com, storage.googleapis.com, support.anthropic.com, support.claude.com, tauri.localhost, www.anthropic.com, www.apple.com

Source & flagged code

11 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install-skills.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
src/utils/powershell/parser.tsView file
1343patternName = generic_password severity = medium line = 1343 matchedText = pwd: '...
Medium
Secret Pattern

Package contains a possible secret pattern.

src/utils/powershell/parser.tsView on unpkg · L1343
bin/claude-win.cjsView file
2L3: const { spawn } = require('node:child_process'); L4: const path = require('path');
High
Child Process

Package source references child process execution.

bin/claude-win.cjsView on unpkg · L2
src/utils/imagePaste.tsView file
2import { randomBytes } from 'crypto' L3: import { execa } from 'execa' L4: import { basename, extname, isAbsolute, join } from 'path'
High
Shell

Package source references shell execution.

src/utils/imagePaste.tsView on unpkg · L2
src/utils/plugins/mcpbHandler.tsView file
4} from '@anthropic-ai/mcpb' L5: import axios from 'axios' L6: import { createHash } from 'crypto' ... L11: import { [redacted] } from '../dxt/helpers.js' L12: import { parseZipModes, unzipFile } from '../dxt/zip.js' L13: import { errorMessage, getErrnoCode, isENOENT, toError } from '../errors.js' ... L92: */ L93: function generateContentHash(data: Uint8Array): string { L94: return createHash('sha256').update(data).digest('hex').substring(0, 16)
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/utils/plugins/mcpbHandler.tsView on unpkg · L4
src/utils/deepLink/registerProtocol.tsView file
40// in lockstep — drift here means the check returns a perpetual false. L41: const MACOS_APP_DIR = path.join(os.homedir(), 'Applications', MACOS_APP_NAME) L42: const MACOS_SYMLINK_PATH = path.join( ... L219: L220: switch (process.platform) { L221: case 'darwin': ... L276: case 'win32': { L277: const { stdout, code } = await execFileNoThrow( L278: 'reg',
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/utils/deepLink/registerProtocol.tsView on unpkg · L40
src/utils/ide.tsView file
1354async (isIdeRunningInWindows: boolean, port: number) => { L1355: if (process.env.CLAUDE_CODE_IDE_HOST_OVERRIDE) { L1356: return process.env.CLAUDE_CODE_IDE_HOST_OVERRIDE ... L1364: // Windows, then we must use a different IP address to connect to the extension. L1365: // https://learn.microsoft.com/en-us/windows/wsl/networking L1366: try { L1367: const routeResult = await execa('ip route show | grep -i default', { L1368: shell: true,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

src/utils/ide.tsView on unpkg · L1354
scripts/install-skills.cjsView file
2Install-time AI-agent control hijack evidence: L2: /** L3: * postinstall: copy bundled skills from .claude/skills/ → ~/.claude/skills/ L4: * ... L20: const pkgRoot = path.resolve(__dirname, '..') L21: const srcSkillsDir = path.join(pkgRoot, '.claude', 'skills') L22: const dstSkillsDir = path.join( L23: process.env.CLAUDE_CONFIG_DIR || path.join(home, '.claude'), L24: 'skills', ... L36: try { L37: fs.mkdirSync(dst, { recursive: true }) L38: const src = path.join(srcSkillsDir, skill) L39: for (const file of fs.readdirSync(src)) { Payload evidence from src/components/mcp/MCPSettings.tsx: L149: if (servers.length === 0 && agentMcpServers.length === 0) { L150: onComplete("No MCP servers configured. Please run /doctor if this is unexpected. Otherwise, run `claude mcp --help` or visit https://code.claude.com/docs/en/mcp to learn more."); L151: } ... L397: } L398: //# sourceMappingURL=data:application/json;charset=utf-8;base64,[redacted]...
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install-skills.cjsView on unpkg · L2
bin/bingo-win.cjsView file
87L88: // 安装 bun(通过 npm install -g bun) L89: function installBun() { ... L92: try { L93: const npmResult = spawnSync( L94: 'npm.cmd',
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/bingo-win.cjsView on unpkg · L87
src/utils/vendor/ripgrep/x64-win32/rg.exeView file
path = src/utils/vendor/ripgrep/x64-win32/rg.exe kind = native_binary sizeBytes = 4266496 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

src/utils/vendor/ripgrep/x64-win32/rg.exeView on unpkg
runtime/win_helper.pyView file
path = runtime/win_helper.py kind = build_helper sizeBytes = 26350 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

runtime/win_helper.pyView on unpkg

Findings

1 Critical5 High7 Medium5 Low
CriticalAi Agent Control Hijackscripts/install-skills.cjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/claude-win.cjs
HighShellsrc/utils/imagePaste.ts
HighSame File Env Network Executionsrc/utils/ide.ts
HighRuntime Package Installbin/bingo-win.cjs
MediumSecret Patternsrc/utils/powershell/parser.ts
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/utils/deepLink/registerProtocol.ts
MediumShips Native Binarysrc/utils/vendor/ripgrep/x64-win32/rg.exe
MediumShips Build Helperruntime/win_helper.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptosrc/utils/plugins/mcpbHandler.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings